Skip to content

Instantly share code, notes, and snippets.

@khr0x40sh
khr0x40sh / decrypt.py
Created June 5, 2024 16:38
Sonatype NEXUS Repository Manager stored variable decryptor
import hashlib
import base64
import argparse
from Crypto.Cipher import AES
class AES_pkcs5:
def __init__(self, key: str, mode: AES.MODE_ECB = AES.MODE_ECB, block_size: int = 16):
self.key = self.setKey(key)
self.mode = mode
self.block_size = block_size
@khr0x40sh
khr0x40sh / keygen.py
Created May 22, 2024 14:18
HTB-BusinessCTF2024: Crypto Bloom Bloom
from random import randint, shuffle
from Crypto.Util.number import getPrime
from hashlib import sha256
class BBS:
def __init__(self, bits, length):
self.bits = bits
self.out_length = length
def reset_params(self):
@khr0x40sh
khr0x40sh / PowershellAes.ps1
Created April 6, 2023 17:21 — forked from ctigeek/PowershellAes.ps1
Aes Encryption using powershell.
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
@khr0x40sh
khr0x40sh / psCompress.ps1
Created April 6, 2023 17:16 — forked from marcgeld/psCompress.ps1
Powershell: Compress and decompress byte array
# Compress and decompress byte array
function Get-CompressedByteArray {
[CmdletBinding()]
Param (
[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
[byte[]] $byteArray = $(Throw("-byteArray is required"))
)
Process {
@khr0x40sh
khr0x40sh / decrypt_phase3.py
Created March 23, 2023 20:14
HTB:CA2023 Forensics Interstellar Phase 3 Decryptor
import os
import base64
from Crypto.Cipher import AES
import gzip, zlib
def decrypt(data, key):
cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size])
return cipher.decrypt(data[AES.block_size:])
def decompress(data):
@khr0x40sh
khr0x40sh / ImgGen.cs
Last active March 23, 2023 20:11
HTB:CA2023 Forensics Interstellar ImgGen C2 class
internal static class ImgGen
{
// Token: 0x06000020 RID: 32 RVA: 0x00003478 File Offset: 0x00001678
internal static void Init(string stringIMGS)
{
IEnumerable<string> source = from Match m in Program.ImgGen._re.Matches(stringIMGS.Replace(",", ""))
select m.Value;
source = from m in source
where !string.IsNullOrEmpty(m)
select m;
@khr0x40sh
khr0x40sh / Primer.cs
Created March 23, 2023 20:04
HTB:CA2023 Forensics Interstellar Primer C2 Function
// Program
// Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8
private static void primer()
{
if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now)
{
Program.dfs = 0;
string text = "";
try
{
@khr0x40sh
khr0x40sh / Encryption.cs
Created March 23, 2023 18:36
HTB:CA2023 Forensics Interstellar Encryption C2 Function
private static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
byte[] array = null;
if (unByte != null)
{
array = unByte;
}
else
{
array = Encoding.UTF8.GetBytes(un);
@khr0x40sh
khr0x40sh / Exec.cs
Created March 23, 2023 18:27
HTB:CA2023 Forensics Interstellar EXEC C2 Function
// Program
// Token: 0x06000016 RID: 22 RVA: 0x00002C38 File Offset: 0x00000E38
public static void Exec(string cmd, string taskId, string key = null, byte[] encByte = null)
{
if (string.IsNullOrEmpty(key))
{
key = Program.pKey;
}
string cookie = Program.Encryption(key, taskId, false, null);
string s;
@khr0x40sh
khr0x40sh / ImplantCore.cs
Created March 23, 2023 18:22
HTB:CA2023 Forensics Interstellar Implant Core C2 Function
// Program
// Token: 0x06000017 RID: 23 RVA: 0x00002CDC File Offset: 0x00000EDC
private static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
{
Program.UrlGen.Init(stringURLS, RandomURI, baseURL);
Program.ImgGen.Init(stringIMGS);
Program.pKey = Key;
int num = 5;
Regex regex = new Regex("(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase | RegexOptions.Compiled);
Match match = regex.Match(Sleep);