aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add typing

Browse Source
This commit is contained in:
aaron
2021-12-04 04:45:58 +01:00
parent 076a5fe8d4
commit 5d93a845ce
3 changed files with 78 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
crypto/XMASSpirit/decrypt.py
View File

@@ -10,7 +10,7 @@ header = [ 0x25, 0x50, 0x44, 0x46, 0x2d, 0x31, 0x2e ]
# the lookup table was previously generated, get_factors determines that a=169, b=160 # the lookup table was previously generated, get_factors determines that a=169, b=160
lookup = {160:0, 73:1, 242:2, 155:3, 68:4, 237:5, 150:6, 63:7, 232:8, 145:9, 58:10, 227:11, 140:12, 53:13, 222:14, 135:15, 48:16, 217:17, 130:18, 43:19, 212:20, 125:21, 38:22, 207:23, 120:24, 33:25, 202:26, 115:27, 28:28, 197:29, 110:30, 23:31, 192:32, 105:33, 18:34, 187:35, 100:36, 13:37, 182:38, 95:39, 8:40, 177:41, 90:42, 3:43, 172:44, 85:45, 254:46, 167:47, 80:48, 249:49, 162:50, 75:51, 244:52, 157:53, 70:54, 239:55, 152:56, 65:57, 234:58, 147:59, 60:60, 229:61, 142:62, 55:63, 224:64, 137:65, 50:66, 219:67, 132:68, 45:69, 214:70, 127:71, 40:72, 209:73, 122:74, 35:75, 204:76, 117:77, 30:78, 199:79, 112:80, 25:81, 194:82, 107:83, 20:84, 189:85, 102:86, 15:87, 184:88, 97:89, 10:90, 179:91, 92:92, 5:93, 174:94, 87:95, 0:96, 169:97, 82:98, 251:99, 164:100, 77:101, 246:102, 159:103, 72:104, 241:105, 154:106, 67:107, 236:108, 149:109, 62:110, 231:111, 144:112, 57:113, 226:114, 139:115, 52:116, 221:117, 134:118, 47:119, 216:120, 129:121, 42:122, 211:123, 124:124, 37:125, 206:126, 119:127, 32:128, 201:129, 114:130, 27:131, 196:132, 109:133, 22:134, 191:135, 104:136, 17:137, 186:138, 99:139, 12:140, 181:141, 94:142, 7:143, 176:144, 89:145, 2:146, 171:147, 84:148, 253:149, 166:150, 79:151, 248:152, 161:153, 74:154, 243:155, 156:156, 69:157, 238:158, 151:159, 64:160, 233:161, 146:162, 59:163, 228:164, 141:165, 54:166, 223:167, 136:168, 49:169, 218:170, 131:171, 44:172, 213:173, 126:174, 39:175, 208:176, 121:177, 34:178, 203:179, 116:180, 29:181, 198:182, 111:183, 24:184, 193:185, 106:186, 19:187, 188:188, 101:189, 14:190, 183:191, 96:192, 9:193, 178:194, 91:195, 4:196, 173:197, 86:198, 255:199, 168:200, 81:201, 250:202, 163:203, 76:204, 245:205, 158:206, 71:207, 240:208, 153:209, 66:210, 235:211, 148:212, 61:213, 230:214, 143:215, 56:216, 225:217, 138:218, 51:219, 220:220, 133:221, 46:222, 215:223, 128:224, 41:225, 210:226, 123:227, 36:228, 205:229, 118:230, 31:231, 200:232, 113:233, 26:234, 195:235, 108:236, 21:237, 190:238, 103:239, 16:240, 185:241, 98:242, 11:243, 180:244, 93:245, 6:246, 175:247, 88:248, 1:249, 170:250, 83:251, 252:252, 165:253, 78:254, 247:255} lookup = {160:0, 73:1, 242:2, 155:3, 68:4, 237:5, 150:6, 63:7, 232:8, 145:9, 58:10, 227:11, 140:12, 53:13, 222:14, 135:15, 48:16, 217:17, 130:18, 43:19, 212:20, 125:21, 38:22, 207:23, 120:24, 33:25, 202:26, 115:27, 28:28, 197:29, 110:30, 23:31, 192:32, 105:33, 18:34, 187:35, 100:36, 13:37, 182:38, 95:39, 8:40, 177:41, 90:42, 3:43, 172:44, 85:45, 254:46, 167:47, 80:48, 249:49, 162:50, 75:51, 244:52, 157:53, 70:54, 239:55, 152:56, 65:57, 234:58, 147:59, 60:60, 229:61, 142:62, 55:63, 224:64, 137:65, 50:66, 219:67, 132:68, 45:69, 214:70, 127:71, 40:72, 209:73, 122:74, 35:75, 204:76, 117:77, 30:78, 199:79, 112:80, 25:81, 194:82, 107:83, 20:84, 189:85, 102:86, 15:87, 184:88, 97:89, 10:90, 179:91, 92:92, 5:93, 174:94, 87:95, 0:96, 169:97, 82:98, 251:99, 164:100, 77:101, 246:102, 159:103, 72:104, 241:105, 154:106, 67:107, 236:108, 149:109, 62:110, 231:111, 144:112, 57:113, 226:114, 139:115, 52:116, 221:117, 134:118, 47:119, 216:120, 129:121, 42:122, 211:123, 124:124, 37:125, 206:126, 119:127, 32:128, 201:129, 114:130, 27:131, 196:132, 109:133, 22:134, 191:135, 104:136, 17:137, 186:138, 99:139, 12:140, 181:141, 94:142, 7:143, 176:144, 89:145, 2:146, 171:147, 84:148, 253:149, 166:150, 79:151, 248:152, 161:153, 74:154, 243:155, 156:156, 69:157, 238:158, 151:159, 64:160, 233:161, 146:162, 59:163, 228:164, 141:165, 54:166, 223:167, 136:168, 49:169, 218:170, 131:171, 44:172, 213:173, 126:174, 39:175, 208:176, 121:177, 34:178, 203:179, 116:180, 29:181, 198:182, 111:183, 24:184, 193:185, 106:186, 19:187, 188:188, 101:189, 14:190, 183:191, 96:192, 9:193, 178:194, 91:195, 4:196, 173:197, 86:198, 255:199, 168:200, 81:201, 250:202, 163:203, 76:204, 245:205, 158:206, 71:207, 240:208, 153:209, 66:210, 235:211, 148:212, 61:213, 230:214, 143:215, 56:216, 225:217, 138:218, 51:219, 220:220, 133:221, 46:222, 215:223, 128:224, 41:225, 210:226, 123:227, 36:228, 205:229, 118:230, 31:231, 200:232, 113:233, 26:234, 195:235, 108:236, 21:237, 190:238, 103:239, 16:240, 185:241, 98:242, 11:243, 180:244, 93:245, 6:246, 175:247, 88:248, 1:249, 170:250, 83:251, 252:252, 165:253, 78:254, 247:255}
def get_factors(ct, n=256): def get_factors(ct:bytes, n:int=256) -> (int, int):
''' find a and b for n and ct ''' ''' find a and b for n and ct '''
# first generate a list of all numbers without common divisor with 256 # first generate a list of all numbers without common divisor with 256
nogcds = [ x for x in range(1, n) if gcd(x, n) == 1 ] nogcds = [ x for x in range(1, n) if gcd(x, n) == 1 ]
@@ -25,13 +25,16 @@ def get_factors(ct, n=256):
print(f'No solution found.') print(f'No solution found.')
return (0,0) return (0,0)
def generate_lookuptable(a, b): def generate_lookuptable(a:int, b:int) -> []:
''' generate a lookuptable for the translation of the enc file''' ''' generate a lookuptable for the translation of the enc file'''
out = []
for i in range(0, 256): for i in range(0, 256):
lt = (i * a + b) % 256 lt = (i * a + b) % 256
out.append(lt)
print(f'{lt}:{i},', end=" ") print(f'{lt}:{i},', end=" ")
return out
def decrypt(ct): def decrypt(ct:bytes) -> bytes:
''' decrypt the file using the lookup table ''' ''' decrypt the file using the lookup table '''
res = b'' res = b''
for byte in ct: for byte in ct:

18
forensics/honeypot/generate_flags.sh
View File

@@ -9,17 +9,23 @@ list=(
) )
pids=( pids=(
1556 # explorer # 2700 # powershell
2460 # SearchFilterHo # 1556 # explorer
2856 # explorer # 2460 # SearchFilterHo
3324 # iexplorer # 2856 # explorer
3344 # iexplorer # 3324 # iexplorer
# 3344 # iexplorer
3720 # ppid of powershell
) )
echo "HTB{echo -n "http://url.com/path.foo_PID_127.0.0.1" | md5sum}"
for ip in ${list[@]}; do for ip in ${list[@]}; do
for pid in ${pids[@]}; do for pid in ${pids[@]}; do
echo Generating Flag for $ip and $pid: echo Generating Flag for $ip and $pid:
echo
echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}" echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum}"
echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}" echo "HTB{$(echo -n "http://windowsliveupdater.com/update.ps1_"$pid"_"$ip""|md5sum)}"
echo
done done
done done

60
forensics/honeypot/win_processes Normal file
View File

@@ -0,0 +1,60 @@
Volatility 3 Framework 2.0.0
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x2c9a940 76 549 N/A False 2021-11-26 05:12:15.000000 N/A Disabled
1872 400 cygrunsrv.exe 0x2d46470 6 100 0 False 2021-11-25 19:12:20.000000 N/A Disabled
692 400 svchost.exe 0x206013a8 7 268 0 False 2021-11-25 19:12:18.000000 N/A Disabled
1800 400 sppsvc.exe 0x3e254030 5 146 0 False 2021-11-25 19:12:22.000000 N/A Disabled
2080 400 svchost.exe 0x3e27e610 5 91 0 False 2021-11-25 19:12:22.000000 N/A Disabled
2360 400 SearchIndexer. 0x3e301d28 17 730 0 False 2021-11-25 19:12:26.000000 N/A Disabled
2616 2604 csrss.exe 0x3e316d28 11 291 2 False 2021-11-25 19:12:33.000000 N/A Disabled
2440 2360 SearchProtocol 0x3e336d28 8 328 0 False 2021-11-25 19:12:26.000000 N/A Disabled
2460 2360 SearchFilterHo 0x3e33a260 6 95 0 False 2021-11-25 19:12:26.000000 N/A Disabled
2784 400 taskhost.exe 0x3e384b00 11 172 2 False 2021-11-25 19:12:37.000000 N/A Disabled
4028 2700 whoami.exe 0x3e38db00 0 - 2 False 2021-11-25 19:14:01.000000 2021-11-25 19:14:01.000000 Disabled
2844 848 dwm.exe 0x3e38f488 5 89 2 False 2021-11-25 19:12:37.000000 N/A Disabled
2856 2836 explorer.exe 0x3e391498 27 700 2 False 2021-11-25 19:12:38.000000 N/A Disabled
3108 2856 regsvr32.exe 0x3e3acd28 0 - 2 False 2021-11-25 19:12:38.000000 2021-11-25 19:12:39.000000 Disabled
1532 848 dwm.exe 0x3e413c60 5 85 1 False 2021-11-25 19:12:19.000000 N/A Disabled
1556 1512 explorer.exe 0x3e41ab00 25 587 1 False 2021-11-25 19:12:19.000000 N/A Disabled
1540 400 vmicsvc.exe 0x3e425758 6 81 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1620 400 svchost.exe 0x3e442030 14 276 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1716 1556 VBoxTray.exe 0x3e46d6f8 16 147 1 False 2021-11-25 19:12:20.000000 N/A Disabled
1956 400 wlms.exe 0x3e5f9b00 4 45 0 False 2021-11-25 19:12:20.000000 N/A Disabled
744 400 svchost.exe 0x3e619700 17 353 0 False 2021-11-25 19:12:18.000000 N/A Disabled
572 400 svchost.exe 0x3e6326b8 11 368 0 False 2021-11-26 05:12:17.000000 N/A Disabled
2644 2604 winlogon.exe 0x3e673728 6 119 2 False 2021-11-25 19:12:33.000000 N/A Disabled
636 400 VBoxService.ex 0x3e699390 14 123 0 False 2021-11-26 05:12:17.000000 N/A Disabled
1612 1872 cygrunsrv.exe 0x3e6cad28 0 - 0 False 2021-11-25 19:12:21.000000 2021-11-25 19:12:21.000000 Disabled
1676 1612 sshd.exe 0x3e6d5d28 4 100 0 False 2021-11-25 19:12:21.000000 N/A Disabled
848 400 svchost.exe 0x3e6ed9d8 21 464 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1684 308 conhost.exe 0x3e6f2bc0 2 32 0 False 2021-11-25 19:12:21.000000 N/A Disabled
888 400 svchost.exe 0x3e6f8548 41 902 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1012 400 svchost.exe 0x3e721030 17 331 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1084 400 svchost.exe 0x3e73c260 16 396 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1208 400 spoolsv.exe 0x3e769b00 14 293 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1252 400 svchost.exe 0x3e7ae030 20 324 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1376 400 vmicsvc.exe 0x3e7d7488 8 103 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1396 400 vmicsvc.exe 0x3e7de428 7 108 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1432 400 vmicsvc.exe 0x3e7eaa60 4 66 0 False 2021-11-25 19:12:19.000000 N/A Disabled
1440 400 taskhost.exe 0x3e7ec4b8 10 148 1 False 2021-11-25 19:12:19.000000 N/A Disabled
360 340 csrss.exe 0x3e7f4398 7 159 1 False 2021-11-26 05:12:16.000000 N/A Disabled
1504 400 vmicsvc.exe 0x3e7f88b8 5 80 0 False 2021-11-25 19:12:19.000000 N/A Disabled
3344 3324 iexplore.exe 0x3e8aa9b8 26 641 2 False 2021-11-25 19:13:31.000000 N/A Disabled
400 348 services.exe 0x3e8f5620 8 225 0 False 2021-11-26 05:12:16.000000 N/A Disabled
416 348 lsm.exe 0x3e8fbd28 10 171 0 False 2021-11-26 05:12:16.000000 N/A Disabled
408 348 lsass.exe 0x3e902590 7 615 0 False 2021-11-26 05:12:16.000000 N/A Disabled
348 300 wininit.exe 0x3eeba3f0 3 75 0 False 2021-11-26 05:12:16.000000 N/A Disabled
496 340 winlogon.exe 0x3ef47d28 4 111 1 False 2021-11-26 05:12:17.000000 N/A Disabled
3732 2616 conhost.exe 0x3ef733c8 2 50 2 False 2021-11-25 19:13:50.000000 N/A Disabled
308 300 csrss.exe 0x3f19bd28 9 435 0 False 2021-11-26 05:12:16.000000 N/A Disabled
236 4 smss.exe 0x3f1e9c80 2 32 N/A False 2021-11-26 05:12:15.000000 N/A Disabled
168 572 dllhost.exe 0x3f4da2d0 6 88 2 False 2021-11-25 19:14:13.000000 N/A Disabled
2920 2616 conhost.exe 0x3f5046c0 2 50 2 False 2021-11-25 19:14:10.000000 N/A Disabled
3504 2856 VBoxTray.exe 0x3f53ed28 15 145 2 False 2021-11-25 19:12:46.000000 N/A Disabled
3112 572 WmiPrvSE.exe 0x3f588788 8 119 0 False 2021-11-25 19:13:24.000000 N/A Disabled
3324 2856 iexplore.exe 0x3f5afc60 18 434 2 False 2021-11-25 19:13:31.000000 N/A Disabled
2924 2856 DumpIt.exe 0x3f5ee280 2 37 2 False 2021-11-25 19:14:10.000000 N/A Disabled
2700 3720 powershell.exe 0x3fc0dd28 13 444 2 False 2021-11-25 19:13:50.000000 N/A Disabled
4036 2700 HOSTNAME.EXE 0x3fc89030 0 - 2 False 2021-11-25 19:14:01.000000 2021-11-25 19:14:01.000000 Disabled