Skip to content

Instantly share code, notes, and snippets.

View Fitblip's full-sized avatar

Ryan Fitblip

View GitHub Profile
View db.py
import os
import re
from pymongo import MongoClient
from bson.objectid import ObjectId
client = MongoClient()
db = client.db
def get_or_add_user(_id=None, name=None):
@Fitblip
Fitblip / writeup.md
Created October 29, 2020 22:13
Hack The Vote 2020 CTF - x96 Writeup
View writeup.md

x96

Full disclosure: this is the happy path, there were a lot of sad paths with this challenge and many hours spent pulling out my hair to get to the flag. Very cool challenge though!

Starting: What is this thing?

The first obvious step is to get info on the binary itself, and running it to see what it does.

$ readelf -h ./x96
@Fitblip
Fitblip / certstalgia.sh
Created November 5, 2017 00:06
Certstream Logstalgia Output v2
View certstalgia.sh
certstream --json | \
jq -r '.data | [ (.seen|floor|tostring), (.leaf_cert.all_domains[0]|split(".")|.[-1]), .chain[0].subject.CN, "200", "0" ] | join("|")' | \
logstalgia -g "Certificate Authorities,CODE=^200,0" --hide-response-code --hide-paddle --path-abbr-depth -1 --no-bounce -s 2 --address-abbr-depth -1
@Fitblip
Fitblip / slack_notification.py
Created June 24, 2017 06:17
An example for certstream to send a slack notification.
View slack_notification.py
import certstream
import json
import requests
# Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/
WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
NEEDLE = "coinbase"
# Search for domains with a keyword in them and write the corresponding certificate to a file
@Fitblip
Fitblip / find_needle.py
Created June 24, 2017 05:24
Find a specific keyword (paypal) in any certificates sent by Certstream
View find_needle.py
import certstream
import base64
NEEDLE = "paypal"
# Search for domains with a keyword in them and write the corresponding certificate to a file
def certstream_callback(message):
if message['message_type'] == "certificate_update":
all_domains = message['data']['leaf_cert']['all_domains']
if NEEDLE.lower() in " ".join(all_domains).lower():
View FlowersToTheWorld.sql
SELECT
url,
COUNT(*) AS total_certs
FROM
[ctl-lists:certificate_data.scan_data]
WHERE
(REGEXP_MATCH(all_dns_names,r'.*flowers-to-the-world.*'))
GROUP BY
url
ORDER BY
@Fitblip
Fitblip / CoinbaseBigQuery.sql
Last active May 17, 2017 22:26
Finding all coinbase sites using BigQuery
View CoinbaseBigQuery.sql
SELECT
all_dns_names
FROM
[ctl-lists:certificate_data.scan_data]
WHERE
(REGEXP_MATCH(all_dns_names,r'.*\.coinbase.com[\s$]?'))
@Fitblip
Fitblip / bigquery.sql
Created May 17, 2017 22:18
BigQuery Punycode Example
View bigquery.sql
SELECT
all_dns_names
FROM
[ctl-lists:certificate_data.scan_data]
WHERE
(REGEXP_MATCH(all_dns_names,r'\b?xn\-\-'))
AND NOT all_dns_names CONTAINS 'cloudflare'
@Fitblip
Fitblip / schema.json
Created May 17, 2017 22:01
BigQuery Schema
View schema.json
[
{
"name": "url",
"type": "STRING",
"mode": "REQUIRED"
},
{
"mode": "REQUIRED",
"name": "cert_index",
"type": "INTEGER"
View ctl_parser_structures.py
from construct import Struct, Byte, Int16ub, Int64ub, Enum, Bytes, Int24ub, this, GreedyBytes, GreedyRange, Terminated, Embedded
MerkleTreeHeader = Struct(
"Version" / Byte,
"MerkleLeafType" / Byte,
"Timestamp" / Int64ub,
"LogEntryType" / Enum(Int16ub, X509LogEntryType=0, PrecertLogEntryType=1),
"Entry" / GreedyBytes
)