Skip to content

Instantly share code, notes, and snippets.

paul-axe

Block or report user

Report or block paul-axe

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@paul-axe
paul-axe / insomnihack2019teaser_droops_writeup.md
Created Jan 20, 2019
insomnihack2019teaser_droops_writeup.md
View insomnihack2019teaser_droops_writeup.md

The challenge was based on drupal7 with obvious unserialize call added.

Trying to build a chain and the first solution i found was based on following chain:

./includes/bootstrap.inc

abstract class DrupalCacheArray
    ...
    public function __destruct() {
        $data = array();
@paul-axe
paul-axe / phdays2018_quals_writeup.md
Last active Apr 29, 2018
phdays2018_quals_writeup
View phdays2018_quals_writeup.md

event0

We got file with sequence recorded from /dev/input/event* file. It's easy to replay events from file using following command

# sleep 3; cat event0 > /dev/input/by-path/platform-i8042-serio-0-event-kbd

After that switch to another terminal window or text editor and we will se following commands

vim key.txt
32ix^[o^[5if ^[Icde^[A653^[BBi3333^[BBicdef87236363^[llr2elr20elxlxlxhi3^[A64^[kdd:wq
View 0ctf_2018_quals_writeups.md

h4x0rs.club 2

Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:

  1. Stored XSS on user profile page.

It's also possible to make victim browser trigger a click on injected element

if(location.hash.slice(1) == 'report'){
            document.getElementById('report-btn').click();
View hitcon2017_sql_so_hard.md

There was 2 security issues in application:

  1. WAF stored blocked users IP in mysql database, while application used postgresql database.

The problem is in max_allowed_packet option in my.cnf. Mysql will discard all packets larger than value of this option. So it's possible to bypass WAF using big payload in first argument sent to server.

  1. Vulnerable postgresql library.

The vulnerability is described here: https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability.

@paul-axe
paul-axe / zn2017d3.md
Created Oct 27, 2017
ZeroNights 2017 Day #3 / YOUAREWELCOME writeup
View zn2017d3.md
  1. XSS in feedback form. Got access to moderator account. Nothing useful here though, except the list of approved accounts.
  2. Trying to register own team - got password to email. Password is 4 digits, so can be easily bruteforced.
  3. Login form is protected with simple captcha. Wrote simple script using pytesseract https://github.com/madmaze/pytesseract to recognize captcha and bruteforce login form. After 10 minutes got password for one of approved team account.
import sys                                                                 
import io                   
import re                     
import requests                     
import pytesseract            
You can’t perform that action at this time.