Skip to content

Instantly share code, notes, and snippets.

@thesubtlety
thesubtlety / _notes.md
Created Apr 25, 2022 — forked from djhohnstein/_notes.md
AppDomainManager Injection
View _notes.md

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@thesubtlety
thesubtlety / rundeck-commands.md
Created Oct 14, 2021
Rundeck Takeover Reference
View rundeck-commands.md

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
@thesubtlety
thesubtlety / stalebacon.cna
Created Mar 26, 2021
Stale beacon slacker, only messages once
View stalebacon.cna
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit https://github.com/bluscreenofjeff/AggressorScripts/blob/master/stale-beacon-notifier.cna - bluescreenofjeff
$webhook_url = "https://hooks.slack.com/services/xxxxx";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
@thesubtlety
thesubtlety / natlas-docker-howto.md
Last active Aug 13, 2020
tl;dr natlas/docker install
View natlas-docker-howto.md
@thesubtlety
thesubtlety / Get-Exports.ps1
Created Feb 12, 2020
DLL Hijack with exports
View Get-Exports.ps1
function Get-Exports {
<#
.SYNOPSIS
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.
@thesubtlety
thesubtlety / golang-windows-dll.go
Created Feb 5, 2020
Calling Windows DLLs from Go
View golang-windows-dll.go
package main
import (
"fmt"
"syscall"
"unicode/utf16"
"unsafe"
)
//https://github.com/golang/go/wiki/WindowsDLLs
@thesubtlety
thesubtlety / gist:5d30bc04f087807d817cf4479a481c23
Last active Jun 27, 2022
Download compile and encrypt the latest mimikatz
View gist:5d30bc04f087807d817cf4479a481c23
#requires -version 2
<#
Author: Noah
@subTee's reflexive loader
Required Dependencies: msbuild, csc
Execute: Run-UpdateKatz -Verbose
@thesubtlety
thesubtlety / dllmain.cpp
Last active Jul 17, 2021
Basic dll to execute commands
View dllmain.cpp
// Configuration Type: DLL
// Runtime Library: /MT
// Use of MFC: Use MFC in Static Library
// Architecture must match target _process_
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>
#include <sstream>
@thesubtlety
thesubtlety / parse-shodan-vuln-data.py
Last active Dec 3, 2021
Parse Shodan data file and extract CVE details by host, writing to CSV file
View parse-shodan-vuln-data.py
#!/usr/bin/env python3
import os
import re
import sys
import json
import gzip
import csv
import datetime
import shodan
@thesubtlety
thesubtlety / bulkip-shodan-scanner.py
Created Dec 11, 2019
Submit IPs/CIDRs to Shodan for scanning and download results
View bulkip-shodan-scanner.py
#!/usr/bin/env python3
import os
import sys
import time
import shodan
import netaddr
import ipaddress
'''