Skip to content

Instantly share code, notes, and snippets.

View paul-axe's full-sized avatar

Paul Axe paul-axe

48 followers · 10 following
View GitHub Profile
@paul-axe
paul-axe / offzone2019_hackquest_writeup.md
Created June 22, 2019 17:20
offzone2019_hackquest_writeup.md

card maker

Simple web challenge. Application was built with React framework, and contained reporting functionality:

fetch("/api/report", {
    method: "POST",
    body: JSON.stringify({ hash: x }),
    headers: {
        "Content-Type": "application/json"
 }
@paul-axe
paul-axe / insomnihack2019teaser_droops_writeup.md
Created January 20, 2019 12:42
insomnihack2019teaser_droops_writeup.md

The challenge was based on drupal7 with obvious unserialize call added.

Trying to build a chain and the first solution i found was based on following chain:

./includes/bootstrap.inc

abstract class DrupalCacheArray
    ...
    public function __destruct() {
        $data = array();
@paul-axe
paul-axe / phdays2018_quals_writeup.md
Last active April 29, 2018 20:29
phdays2018_quals_writeup

event0

We got file with sequence recorded from /dev/input/event* file. It's easy to replay events from file using following command

# sleep 3; cat event0 > /dev/input/by-path/platform-i8042-serio-0-event-kbd

After that switch to another terminal window or text editor and we will se following commands

vim key.txt
32ix^[o^[5if ^[Icde^[A653^[BBi3333^[BBicdef87236363^[llr2elr20elxlxlxhi3^[A64^[kdd:wq
@paul-axe
paul-axe / 0ctf_2018_quals_writeups.md
Created April 2, 2018 18:03
0ctf_2018_quals_writeups

h4x0rs.club 2

Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:

  1. Stored XSS on user profile page.

It's also possible to make victim browser trigger a click on injected element

if(location.hash.slice(1) == 'report'){
            document.getElementById('report-btn').click();
@paul-axe
paul-axe / hitcon2017_sql_so_hard.md
Created November 8, 2017 14:09
hitcon2017_sql_so_hard

There was 2 security issues in application:

  1. WAF stored blocked users IP in mysql database, while application used postgresql database.

The problem is in max_allowed_packet option in my.cnf. Mysql will discard all packets larger than value of this option. So it's possible to bypass WAF using big payload in first argument sent to server.

  1. Vulnerable postgresql library.

The vulnerability is described here: https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability.

@paul-axe
paul-axe / zn2017d3.md
Created October 27, 2017 23:06
ZeroNights 2017 Day #3 / YOUAREWELCOME writeup
  1. XSS in feedback form. Got access to moderator account. Nothing useful here though, except the list of approved accounts.
  2. Trying to register own team - got password to email. Password is 4 digits, so can be easily bruteforced.
  3. Login form is protected with simple captcha. Wrote simple script using pytesseract https://github.com/madmaze/pytesseract to recognize captcha and bruteforce login form. After 10 minutes got password for one of approved team account.
import sys                                                                 
import io                   
import re                     
import requests                     
import pytesseract