Skip to content

Instantly share code, notes, and snippets.

@thesubtlety
thesubtlety / rundeck-commands.md
Created Oct 14, 2021
Rundeck Takeover Reference
View rundeck-commands.md

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
@thesubtlety
thesubtlety / parse-shodan-vuln-data.py
Last active Oct 4, 2021
Parse Shodan data file and extract CVE details by host, writing to CSV file
View parse-shodan-vuln-data.py
#!/usr/bin/env python3
import os
import re
import sys
import json
import gzip
import csv
import datetime
import shodan
@thesubtlety
thesubtlety / sans-sec660-recommended-reading.md
Created Jan 5, 2019
SANS SEC660 GXPN Recommended Reading
View sans-sec660-recommended-reading.md
@thesubtlety
thesubtlety / golang-windows-dll.go
Created Feb 5, 2020
Calling Windows DLLs from Go
View golang-windows-dll.go
package main
import (
"fmt"
"syscall"
"unicode/utf16"
"unsafe"
)
//https://github.com/golang/go/wiki/WindowsDLLs
@thesubtlety
thesubtlety / dllmain.cpp
Last active Jul 17, 2021
Basic dll to execute commands
View dllmain.cpp
// Configuration Type: DLL
// Runtime Library: /MT
// Use of MFC: Use MFC in Static Library
// Architecture must match target _process_
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <windows.h>
#include <sstream>
View decrypt_jenkins2.rb
#!/usr/bin/env ruby
require 'base64'
require 'digest'
require 'openssl'
# Author: @thesubtlety
# Decrypts Jenkins 2 encrypted strings, code change introduced around Jenkins ver 2.44
# Based off work by juyeong, https://gist.github.com/juyeong/081379bd1ddb3754ed51ab8b8e535f7c
@thesubtlety
thesubtlety / stalebacon.cna
Created Mar 26, 2021
Stale beacon slacker, only messages once
View stalebacon.cna
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit https://github.com/bluscreenofjeff/AggressorScripts/blob/master/stale-beacon-notifier.cna - bluescreenofjeff
$webhook_url = "https://hooks.slack.com/services/xxxxx";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
@thesubtlety
thesubtlety / Get-GroupsRec.ps1
Created Jan 23, 2019
Get all AD group membership recursively (requires AD module)
View Get-GroupsRec.ps1
function Get-GroupsRec {
[CmdletBinding()]
param
(
[Parameter(Mandatory)]
[string]$User
)
$dn = (Get-ADUser $User).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) | select -expand Name | sort Name
@thesubtlety
thesubtlety / gist:5d30bc04f087807d817cf4479a481c23
Last active Mar 24, 2021
Download compile and encrypt the latest mimikatz
View gist:5d30bc04f087807d817cf4479a481c23
#requires -version 2
<#
Author: Noah
@subTee's reflexive loader
Required Dependencies: msbuild, csc
Execute: Run-UpdateKatz -Verbose
@thesubtlety
thesubtlety / Get-Exports.ps1
Created Feb 12, 2020
DLL Hijack with exports
View Get-Exports.ps1
function Get-Exports {
<#
.SYNOPSIS
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.