Skip to content

Instantly share code, notes, and snippets.

View cwgreene's full-sized avatar

Chris Greene cwgreene

23 followers · 85 following
  • Exploding at the origin
View GitHub Profile
@cwgreene
cwgreene / division.py
Last active March 13, 2024 21:28
class Solution:
def divide(self, dividend: int, divisor: int) -> int:
sign = 1
if dividend < 0:
dividend = - dividend
sign = - sign
if divisor < 0:
sign = - sign
divisor = - divisor
piles = [[] for _ in range(divisor)]
@cwgreene
cwgreene / gist:ff6dc78942d9dfd612dcc73ae4d19bf2
Last active February 8, 2021 07:56
The correct code should match 'no\n'. Memory should be 'no\n\x00'.
This is the memory expression at the initial stack offset (it should be 'n')
mem:
memory 0x7fffffffffeff20 8
If
| __eq__
| | __add__
| | | <BV64 0x7fffffffffeff20>
@cwgreene
cwgreene / writeonly.md
Last active August 24, 2020 04:43
Writeonly Writeup

So we're presented with a process where we can execute arbitrary shellcode (yay syscalls!) but are restricted in which syscalls we can make.

void setup_seccomp() {
  scmp_filter_ctx ctx;
  ctx = seccomp_init(SCMP_ACT_KILL);
  int ret = 0;
  ret |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); 
  ret |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
@cwgreene
cwgreene / decompile
Created July 24, 2020 05:05
#!/bin/bash
input=$(mktemp /tmp/ghidra_input.txt.XXXXX)
output=$(mktemp /tmp/ghidra_output.txt.XXXXX)
directory=$(dirname $(realpath $0))
tee $input | "$directory/decompile_real" | tee $output
@cwgreene
cwgreene / code.js
Created July 1, 2020 22:55
console.log("hello world");
chrome.webRequest.onBeforeRequest.addListener(
function(details) {
console.log(details);
if (details.url.match(/test/) && details.method=="POST"){
console.log("hi");
}
},
@cwgreene
cwgreene / manifest.json
Created July 1, 2020 22:54
{
"manifest_version": 2,
"version":"1",
"name": "Test Extension",
"permissions": [
"webRequest",
"webRequestBlocking",
"*://localhost:*/"
],
"background":
@cwgreene
cwgreene / Defenit2020-MomsTouch.md
Created June 15, 2020 06:10

Defenit-2020 Mom's Touch

We download the binary and open it in ghidra.

void entry(void)

{
  __libc_start_main(FUN_08048840);
  do {
@cwgreene
cwgreene / Defenit2020-Minesweeper.md
Last active June 15, 2020 05:07

Defenit 2020: minesweeper

So we're given a 16x16 minesweepr map, and need to beat it in under a minute. Time to use z3!

Z3 is a Symmetric Modulo Theory (SMT) solver. Essentially, it is able to solve logic puzzles. Our approach is to parse the map, and for each number encode that as a constraint.

Parsing the map, we first

@cwgreene
cwgreene / Customer Service.md
Created June 15, 2020 01:49

Customer Service

We get presented with a login / register screen. Once registered and logged in, we discover that we've been given a login token cookie e4955d3a-2920-485c-ab85-232a96351872.

If we paste that in to the form, we get "Not Admin..."

Following the Report Issues link we are given the opportunity to get the admin bot to visit an arbitrary url.

@cwgreene
cwgreene / warmup.md
Last active June 11, 2020 09:08

Warmup

We are given a binary for warmup and a binary for libc.so.6.

Loading the binary warmup in Ghidra reveals a straightforward binary.

undefined8 main(void)
{
  initialize();
  vuln();