Skip to content

Instantly share code, notes, and snippets.

Avatar

LongCat pich4ya

View GitHub Profile
@pich4ya
pich4ya / report.java
Created Dec 3, 2022
OS Command Injection Vulnerability in Java Spring
View report.java
@RestController
public class ReportController {
@PostMapping("/report")
public ResponseEntity<String> generateReport(@RequestParam String report_name) {
String cmd = "bash -c \"generate_report.sh " + report_name + "\"";
try {
Process proc = Runtime.getRuntime().exec(cmd);
int exitValue = proc.waitFor();
if (exitValue == 0) {
@pich4ya
pich4ya / ctfd_330_exploit.txt
Last active Nov 25, 2022
CTFd <= 3.3.0 Exploit: Join CTF teams without knowing the team password or having a team invite
View ctfd_330_exploit.txt
@author Pichaya Morimoto (p.morimoto@sth.sh)
Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0
CVE: n/a
Impact:
- Join CTF teams without knowing the team password or having a team invite
- Can switch to another team, and switch back to the old team
Attack Scenario:
@pich4ya
pich4ya / fix_brew_xcode_ventura.txt
Created Oct 29, 2022
Fix brew with Xcode's Command Line Tools (CLT) errors on macOS 13.0 Ventura
View fix_brew_xcode_ventura.txt
# @author Pichaya Morimoto
# Problem 1
$ brew upgrade
Error: Your Xcode (14.0.1) is too outdated.
Please update to Xcode 14.1 (or delete it).
Xcode can be updated from the App Store.
Error: Your Command Line Tools (CLT) does not support macOS 13.
It is either outdated or was modified.
@pich4ya
pich4ya / intigrity_may22_xss_chall.txt
Last active Jun 5, 2022
Intigriti May '22 XSS Challenge - Prototype Pollution Writeup
View intigrity_may22_xss_chall.txt
@author Pichaya (LongCat) Morimoto (p.morimoto@sth.sh)
Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html
จุดประสงค์คือต้องทำ XSS โดยที่มีการป้องกันไว้ด้วย
(1) ไม่ได้รับค่า User Input มาแสดงตรง ๆ รับแค่ Index (ตัวเลข) แล้วไป Lookup Content ที่เป็น HTML มาแสดง
(2) HTML Content (Static แบบ Fixed ไว้) ที่ Lookup มายังจะโดน Sanitize ต่อด้วยฟังก์ชัน filterXSS() จาก lib ชื่อ xss-js
Tech Stack:
@pich4ya
pich4ya / install_medusa_macos.txt
Last active Jun 1, 2022
Medusa installation on MacOS 12.4
View install_medusa_macos.txt
I got this error during `make` for Medusa installation on MacOS 12.4
```bash
git clone https://github.com/jmk-foofus/medusa
cd medusa
./configure
make && make install
[..]
medusa-net.c:349:28: error: implicit declaration of function 'TLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
sslContext = SSL_CTX_new(TLS_client_method());
@pich4ya
pich4ya / Spiky_Tamagotchy_Writeup.md
Last active Aug 6, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Spiky Tamagotchy Writeup
View Spiky_Tamagotchy_Writeup.md

info

Captain Spiky comes from a rare species of creatures who can only breathe underwater. During the energy-crisis war, he was captured as a war prisoner and later forced to be a Tamagotchi pet for a child of a general of nomadic tribes. He is forced to react in specific ways and controlled remotely purely for the amusement of the general's children. The Paraman crew needs to save the captain of his misery as he is potentially a great asset for the war against Draeger. Can you hack into the Tamagotchi controller to rescue the captain?

techstack

  • node.js
  • express.js
  • mysql
  • alpine docker
@pich4ya
pich4ya / Genesis_Wallet_Writeup.txt
Created May 19, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Genesis Wallet Writeup
View Genesis_Wallet_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)
Unintened solution.
You create 2 users. Then, do transfer -9999 amount from one account to another.
POST /api/transactions/create HTTP/1.1
[...]
Content-Length: 84
@pich4ya
pich4ya / Acnologia_Portal_Writeup.txt
Last active Jun 1, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Acnologia Portal Writeup
View Acnologia_Portal_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)
1. Register and Login
2. Submit Bug Report
Vulns:
- Tar Unzip Path Traversal
- Tar content => Overwrite flask_session's file type
View tarbomb.py
#!/bin/python
# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
# Copyright 2020 Andrew Scott
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE
@pich4ya
pich4ya / Find-AclSth.ps1
Created Apr 16, 2022
Modified version of PowerView's Find-InterestingDomainAcl (Previously known as Invoke-ACLScanner) / Require PowerView.ps1
View Find-AclSth.ps1
function Find-AclSth {
<#
.SYNOPSIS
Finds object ACLs in the current (or specified) domain with modification
rights set to non-built in objects.
Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
Author: Will Schroeder (@harmj0y)