Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

106 followers · 0 following
View GitHub Profile
@pich4ya
pich4ya / openssl3_no_md4.txt
Last active March 10, 2024 06:26
Fix evil-winrm error on macOS M1: "Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error"
# @author Pichaya Morimoto (p.morimoto@sth.sh)
# gem install evil-winrm
# evil-winrm -u "${user}" -p "${pass}" -i "${ip}"
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error
@pich4ya
pich4ya / report.java
Created December 3, 2022 05:34
OS Command Injection Vulnerability in Java Spring
@RestController
public class ReportController {
@PostMapping("/report")
public ResponseEntity<String> generateReport(@RequestParam String report_name) {
String cmd = "bash -c \"generate_report.sh " + report_name + "\"";
try {
Process proc = Runtime.getRuntime().exec(cmd);
int exitValue = proc.waitFor();
if (exitValue == 0) {
@pich4ya
pich4ya / ctfd_330_exploit.txt
Last active November 25, 2022 16:05
CTFd <= 3.3.0 Exploit: Join CTF teams without knowing the team password or having a team invite
@author Pichaya Morimoto (p.morimoto@sth.sh)
Vulnerability: Broken Access Control/Mass Assignment Vulnerability in CTFd <= 3.3.0
CVE: n/a
Impact:
- Join CTF teams without knowing the team password or having a team invite
- Can switch to another team, and switch back to the old team
Attack Scenario:
@pich4ya
pich4ya / fix_brew_xcode_ventura.txt
Created October 29, 2022 01:22
Fix brew with Xcode's Command Line Tools (CLT) errors on macOS 13.0 Ventura
# @author Pichaya Morimoto
# Problem 1
$ brew upgrade
Error: Your Xcode (14.0.1) is too outdated.
Please update to Xcode 14.1 (or delete it).
Xcode can be updated from the App Store.
Error: Your Command Line Tools (CLT) does not support macOS 13.
It is either outdated or was modified.
@pich4ya
pich4ya / intigrity_may22_xss_chall.txt
Last active June 5, 2022 09:18
Intigriti May '22 XSS Challenge - Prototype Pollution Writeup
@author Pichaya (LongCat) Morimoto (p.morimoto@sth.sh)
Challenge: https://challenge-0522.intigriti.io/challenge/challenge.html
จุดประสงค์คือต้องทำ XSS โดยที่มีการป้องกันไว้ด้วย
(1) ไม่ได้รับค่า User Input มาแสดงตรง ๆ รับแค่ Index (ตัวเลข) แล้วไป Lookup Content ที่เป็น HTML มาแสดง
(2) HTML Content (Static แบบ Fixed ไว้) ที่ Lookup มายังจะโดน Sanitize ต่อด้วยฟังก์ชัน filterXSS() จาก lib ชื่อ xss-js
Tech Stack:
@pich4ya
pich4ya / install_medusa_macos.txt
Last active June 1, 2022 21:02
Medusa installation on MacOS 12.4
I got this error during `make` for Medusa installation on MacOS 12.4
```bash
git clone https://github.com/jmk-foofus/medusa
cd medusa
./configure
make && make install
[..]
medusa-net.c:349:28: error: implicit declaration of function 'TLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
sslContext = SSL_CTX_new(TLS_client_method());
@pich4ya
pich4ya / Spiky_Tamagotchy_Writeup.md
Last active August 6, 2022 06:20
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Spiky Tamagotchy Writeup

info

Captain Spiky comes from a rare species of creatures who can only breathe underwater. During the energy-crisis war, he was captured as a war prisoner and later forced to be a Tamagotchi pet for a child of a general of nomadic tribes. He is forced to react in specific ways and controlled remotely purely for the amusement of the general's children. The Paraman crew needs to save the captain of his misery as he is potentially a great asset for the war against Draeger. Can you hack into the Tamagotchi controller to rescue the captain?

techstack

  • node.js
  • express.js
  • mysql
  • alpine docker
@pich4ya
pich4ya / Genesis_Wallet_Writeup.txt
Created May 19, 2022 13:27
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Genesis Wallet Writeup
# author Pichaya Morimoto (p.morimoto@sth.sh)
Unintened solution.
You create 2 users. Then, do transfer -9999 amount from one account to another.
POST /api/transactions/create HTTP/1.1
[...]
Content-Length: 84
@pich4ya
pich4ya / Acnologia_Portal_Writeup.txt
Last active March 7, 2023 13:54
HackTheBox Cyber Apocalypse 2022 Intergalactic Chase - Acnologia Portal Writeup
# author Pichaya Morimoto (p.morimoto@sth.sh)
1. Register and Login
2. Submit Bug Report
Vulns:
- Tar Unzip Path Traversal
- Tar content => Overwrite flask_session's file type
@pich4ya
pich4ya / tarbomb.py
Created May 18, 2022 04:43
Taken from https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
#!/bin/python
# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
# Copyright 2020 Andrew Scott
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE