Upon connecting to the server we are presented with the following options
I heard that tcache is pretty bad, but disabling it is pretty annoying.
But chunks that're greater than 0x408 don't go in tcache :)
Chris Greene cwgreene
cwgreene
/ division.py
Last active
March 13, 2024 21:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class Solution: | |
| def divide(self, dividend: int, divisor: int) -> int: | |
| sign = 1 | |
| if dividend < 0: | |
| dividend = - dividend | |
| sign = - sign | |
| if divisor < 0: | |
| sign = - sign | |
| divisor = - divisor | |
| piles = [[] for _ in range(divisor)] |
cwgreene
/ gist:ff6dc78942d9dfd612dcc73ae4d19bf2
Last active
February 8, 2021 07:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The correct code should match 'no\n'. Memory should be 'no\n\x00'. | |
| This is the memory expression at the initial stack offset (it should be 'n') | |
| mem: | |
| memory 0x7fffffffffeff20 8 | |
| If | |
| | __eq__ | |
| | | __add__ | |
| | | | <BV64 0x7fffffffffeff20> |
So we're presented with a process where we can execute arbitrary shellcode (yay syscalls!) but are restricted in which syscalls we can make.
void setup_seccomp() {
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
int ret = 0;
ret |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
ret |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| input=$(mktemp /tmp/ghidra_input.txt.XXXXX) | |
| output=$(mktemp /tmp/ghidra_output.txt.XXXXX) | |
| directory=$(dirname $(realpath $0)) | |
| tee $input | "$directory/decompile_real" | tee $output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| console.log("hello world"); | |
| chrome.webRequest.onBeforeRequest.addListener( | |
| function(details) { | |
| console.log(details); | |
| if (details.url.match(/test/) && details.method=="POST"){ | |
| console.log("hi"); | |
| } | |
| }, |
cwgreene
/ manifest.json
Created
July 1, 2020 22:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "manifest_version": 2, | |
| "version":"1", | |
| "name": "Test Extension", | |
| "permissions": [ | |
| "webRequest", | |
| "webRequestBlocking", | |
| "*://localhost:*/" | |
| ], | |
| "background": |
cwgreene
/ Defenit2020-MomsTouch.md
Created
June 15, 2020 06:10
cwgreene
/ Defenit2020-Minesweeper.md
Last active
June 15, 2020 05:07
So we're given a 16x16 minesweepr map, and need to beat it in under a minute. Time to use z3!
Z3 is a Symmetric Modulo Theory (SMT) solver. Essentially, it is able to solve logic puzzles. Our approach is to parse the map, and for each number encode that as a constraint.
Parsing the map, we first
cwgreene
/ Customer Service.md
Created
June 15, 2020 01:49
We get presented with a login / register screen. Once
registered and logged in, we discover that we've
been given a login token cookie e4955d3a-2920-485c-ab85-232a96351872.
If we paste that in to the form, we get "Not Admin..."
Following the Report Issues link we are given the opportunity to get the admin bot to visit an arbitrary url.
NewerOlder