Source Code Analysis
┌──(kali㉿kali)-[~/…/labs/nest/RU/RUScanner]
└─$ cat Utils.vbImports System.Text
Imports System.Security.Cryptography
Public Class Utils
Public Shared Function GetLogFilePath() As String
Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
End Function
Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Shared Function EncryptString(PlainString As String) As String
If String.IsNullOrEmpty(PlainString) Then
Return String.Empty
Else
Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function
Public Shared Function Encrypt(ByVal plainText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)
Using memoryStream As New IO.MemoryStream()
Using cryptoStream As New CryptoStream(memoryStream, _
encryptor, _
CryptoStreamMode.Write)
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)
cryptoStream.FlushFinalBlock()
Dim cipherTextBytes As Byte() = memoryStream.ToArray()
memoryStream.Close()
cryptoStream.Close()
Return Convert.ToBase64String(cipherTextBytes)
End Using
End Using
End Function
Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String
Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)
Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)
Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)
Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)
Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)
Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)
memoryStream.Close()
cryptoStream.Close()
Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)
Return plainText
End Function
End ClassThis program was written in VBscript and it basically provides both encryption and decryption
Porting to CS
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
public class Utils
{
public static string GetLogFilePath()
{
return Path.Combine(Environment.CurrentDirectory, "Log.txt");
}
public static string DecryptString(string encryptedString)
{
if (string.IsNullOrEmpty(encryptedString))
{
return string.Empty;
}
else
{
return Decrypt(encryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
}
}
public static string EncryptString(string plainString)
{
if (string.IsNullOrEmpty(plainString))
{
return string.Empty;
}
else
{
return Encrypt(plainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256);
}
}
public static string Encrypt(string plainText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes = password.GetBytes(keySize / 8);
AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write);
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length);
cryptoStream.FlushFinalBlock();
byte[] cipherTextBytes = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(cipherTextBytes);
}
public static string Decrypt(string cipherText, string passPhrase, string saltValue, int passwordIterations, string initVector, int keySize)
{
byte[] initVectorBytes = Encoding.ASCII.GetBytes(initVector);
byte[] saltValueBytes = Encoding.ASCII.GetBytes(saltValue);
byte[] cipherTextBytes = Convert.FromBase64String(cipherText);
Rfc2898DeriveBytes password = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations);
byte[] keyBytes = password.GetBytes(keySize / 8);
AesCryptoServiceProvider symmetricKey = new AesCryptoServiceProvider();
symmetricKey.Mode = CipherMode.CBC;
ICryptoTransform decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes);
MemoryStream memoryStream = new MemoryStream(cipherTextBytes);
CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
byte[] plainTextBytes = new byte[cipherTextBytes.Length];
int decryptedByteCount = cryptoStream.Read(plainTextBytes, 0, plainTextBytes.Length);
memoryStream.Close();
cryptoStream.Close();
return Encoding.UTF8.GetString(plainTextBytes, 0, decryptedByteCount);
}
}
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Please enter 1 to Encrypt or 2 to Decrypt:");
int choice = int.Parse(Console.ReadLine());
Console.WriteLine("Please enter the string:");
string inputString = Console.ReadLine();
if (choice == 1)
{
string encryptedString = Utils.EncryptString(inputString);
Console.WriteLine("Encrypted Text: " + encryptedString);
}
else if (choice == 2)
{
string decryptedString = Utils.DecryptString(inputString);
Console.WriteLine("Decrypted Text: " + decryptedString);
}
else
{
Console.WriteLine("Invalid choice. Please enter either 1 or 2.");
}
}
}I re-wrote the program in C# with some additional feature so it would prompt for user input
Build is complete
PS C:\Users\tacticalgator\source\repos\crypto\bin\Release\netcoreapp3.1> ls
Directory: C:\Users\tacticalgator\source\repos\crypto\bin\Release\netcoreapp3.1
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/13/2023 12:31 AM 410 crypto.deps.json
-a---- 1/13/2023 12:31 AM 6656 crypto.dll
-a---- 1/13/2023 12:31 AM 174592 crypto.exe
-a---- 1/13/2023 12:31 AM 10276 crypto.pdb
-a---- 1/13/2023 12:31 AM 272 crypto.runtimeconfig.dev.json
-a---- 1/13/2023 12:31 AM 154 crypto.runtimeconfig.jsoncrypto.exe is right there
Execution
ps c:\Users\tacticalgator\source\repos\crypto\bin\Release\netcoreapp3.1> .\crypto.exe
please enter 1 to encrypt or 2 to decrypt:
2
please enter the string:
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
decrypted text: xRxRxPANCAK3SxRxRxI provide the password string for the C.Smith user that I got from the SMB enumeration earlier.
the program successfully decrypted the input string and printed out the following:
xRxRxPANCAK3SxRxRx
I will validate the credential
Alternative
┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ mcs crypto.cs
┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ ls
crypto.cs crypto.exe
┌──(kali㉿kali)-[~/…/htb/labs/nest/crypto]
└─$ ./crypto.exe
Please enter 1 to Encrypt or 2 to Decrypt:
2
Please enter the string:
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=
Decrypted Text: xRxRxPANCAK3SxRxRxI can also use mcs(Mono C# Compiler) to compile the program in Kali