Wistfultoll wistfultoll

## stpgetargtype_dump.json
[
    [
        "NtLockProductActivationKeys",
        [
            "UInt32 *",
            "UInt32 *"
        ]
    ],
    [
        "NtLockProductActivationKeys",

## nmap-tcp-full.sh
if [ "$#" -ne 3 ]; then
	echo "Usage: nmap-tcp-full.sh <TCP-QUICK-RESULTS.XML> <TARGET> <OUTPUT-FILENAME>"
	exit 1
fi

nmap -nvv -Pn -sSV -T1 -p$(cat $1 | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA $3 $2

## FileReadPrimitive.ps1
$CimSession = New-CimSession -ComputerName 10.0.0.2

$FilePath = 'C:\Windows\System32\notepad.exe'

# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)

## EQgroup.md

      
              1 file
            
          
              23 forks
            
          
              0 comments
            
          
              50 stars
            
          
                bontchev
                / EQgroup.md
            
            
              Last active
              June 21, 2024 13:54
            
              
                Curated list of links describing the leaked Equation Group tools for Windows
              
          
    Links describing the leaked EQ Group tools for Windows

Repositories and ports


Lost in Translation - A repository of the leaked tools


MS17-010 - Port of some of the exploits to Windows 10


Installation and usage guides


## vMetaDate.sh
#!/bin/bash

# small tool to retreive vk.com (vkontakte) users hidden metadata (state, access, dates, counts, etc) anonymously (without login)

# sudo apt install curl

parse(){
    local IFS=\>
    read -d \< CELL VALUE
}

## anonymous
## hacked together by @JohnLaTwC, Nov 2016, v 0.5
## This script attempts to decode common PowerShell encoded scripts. This version handles:
##  * base64 data which encode unicode, gzip, or deflate encoded strings
##  * it can operate on a file or stdin
##  * it can run recursively in the event of multiple layers
## With apologies to @Lee_Holmes for using Python instead of PowerShell
##
import sys
import zlib
import re

## anonymous
//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
//posted by @JohnLaTwC
// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

----------------------------------------------- macro ----------------------------------

Private Sub Workbook_Open()
    Call doom_Init
    Call doom_ShowHideSheets
End Sub

## how-to-oscp-final.md

      
              1 file
            
          
              136 forks
            
          
              9 comments
            
          
              317 stars
            
          
                unfo
                / how-to-oscp-final.md
            
            
              Last active
              February 26, 2024 08:39
            
          
    How to pass the OSCP


Recon
Find vuln
Exploit
Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

  
## UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

## fake_sandbox.ps1
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...

# Usage: .\fake_sandbox.ps1 -action {start,stop}

param([Parameter(Mandatory=$true)][string]$action)

$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
    "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
	[
	[
	"NtLockProductActivationKeys",
	[
	"UInt32 *",
	"UInt32 *"
	]
	],
	[
	"NtLockProductActivationKeys",
	if [ "$#" -ne 3 ]; then
	echo "Usage: nmap-tcp-full.sh <TCP-QUICK-RESULTS.XML> <TARGET> <OUTPUT-FILENAME>"
	exit 1
	fi

	nmap -nvv -Pn -sSV -T1 -p$(cat $1 \| grep portid \| grep protocol=\"tcp\" \| cut -d'"' -f4 \| paste -sd "," -) --version-intensity 9 -A -oA $3 $2
	$CimSession = New-CimSession -ComputerName 10.0.0.2

	$FilePath = 'C:\Windows\System32\notepad.exe'

	# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
	$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
	$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
	$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
	$FileLengthBytes = $FileContents.FileData[0..3]
	[Array]::Reverse($FileLengthBytes)
	#!/bin/bash

	# small tool to retreive vk.com (vkontakte) users hidden metadata (state, access, dates, counts, etc) anonymously (without login)

	# sudo apt install curl

	parse(){
	local IFS=\>
	read -d \< CELL VALUE
	}
	## hacked together by @JohnLaTwC, Nov 2016, v 0.5
	## This script attempts to decode common PowerShell encoded scripts. This version handles:
	## * base64 data which encode unicode, gzip, or deflate encoded strings
	## * it can operate on a file or stdin
	## * it can run recursively in the event of multiple layers
	## With apologies to @Lee_Holmes for using Python instead of PowerShell
	##
	import sys
	import zlib
	import re
	//sample: 1554e74b935a61d446cb634f80d7d1e200e864bc
	//posted by @JohnLaTwC
	// Also see research by Sudeep Singh, Yin Hong Chang @ https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html

	----------------------------------------------- macro ----------------------------------

	Private Sub Workbook_Open()
	Call doom_Init
	Call doom_ShowHideSheets
	End Sub
	function Invoke-UACBypass {
	<#
	.SYNOPSIS

	Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

	Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
	# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
	# It's just a PoC and it's ugly as f*ck but hey, if it works...

	# Usage: .\fake_sandbox.ps1 -action {start,stop}

	param([Parameter(Mandatory=$true)][string]$action)

	$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
	"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",