Tony Yang t510599

## dom3d.js
// 3D Dom viewer, copy-paste this into your console to visualise the DOM as a stack of solid blocks.
// You can also minify and save it as a bookmarklet (https://www.freecodecamp.org/news/what-are-bookmarklets/)
(() => {
  const SHOW_SIDES = false; // color sides of DOM nodes?
  const COLOR_SURFACE = true; // color tops of DOM nodes?
  const COLOR_RANDOM = false; // randomise color?
  const COLOR_HUE = 190; // hue in HSL (https://hslpicker.com)
  const MAX_ROTATION = 180; // set to 360 to rotate all the way round
  const THICKNESS = 20; // thickness of layers
  const DISTANCE = 10000; // ¯\\_(ツ)_/¯

## 00-writeup.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                szymex73
                / 00-writeup.md
            
            
              Last active
              July 8, 2022 17:10
            
              
                Google CTF 2022 - ILIKETRAINS
              
          
    ILIKETRAINS

ILIKETRAINS was a hardware challenge on Google CTF 2022 that involved a logic circuit built with a rail network in OpenTTD which had to be solved with the input bits being the solution.
For the challenge, we were given just the savegame file for the game.
In this writeup, I'll take a similar approach to what LiveOverflow did in his minetest challenge writeup for Google CTF 2019 tracing the logic circuit from the output to the inputs while trying to explain most of the steps I took along the way.
The two challenges are very similar to each other (after the CTF concluded the organizers said that they've even used the same tool to generate the map, with some adaptations for a different game) but I'm sure this writeup will be helpful for someone anyway.
Because this writeup is pretty long since I tried to keep it detailed, here are some shortcuts to skip to rele

  
## writeup.md

      
              1 file
            
          
              19 forks
            
          
              2 comments
            
          
              94 stars
            
          
                loknop
                / writeup.md
            
            
              Created
              December 30, 2021 14:59
            
              
                Solving "includer's revenge" from hxp ctf 2021 without controlling any files
              
          
    Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

  
## freenode-faq.md

      
              1 file
            
          
              7 forks
            
          
              115 comments
            
          
              172 stars
            
          
                joepie91
                / freenode-faq.md
            
            
              Last active
              April 1, 2024 03:22
            
          
    The Freenode resignation FAQ, or: "what the fuck is going on?"

IMPORTANT NOTE:

It's come to my attention that some people have been spamming issue trackers with a link to this gist. While it's a good idea to inform people of the situation in principle, please do not do this. By all means spread the word in the communities that you are a part of, after verifying that they are not aware yet, but unsolicited spam is not helpful. It will just frustrate people.
Update 3 (May 24, 2021)

A number of things have happened since the last update.

  
## x96shell_msgbox.asm
; x96 shellcode (x32+x64) by aaaddress1@chroot.org
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
section .text
bits 32
_main:
call entry
entry:
mov ax, cs
sub ax, 0x23
jz retTo32b

## phpipam.sh
#!/bin/bash

#
# Author: seadog007
# Date: 2021/01/03
# Description: Adding DHCP Lease & Static ARP & IP Whitelist from phpIPAM
#              which makes phpIPAM actually managed IPs
#

ipam='192.168.1.5'

## Angular of Another Universe
$ nc another-universe.chal.ctf.westerns.tokyo 80
GET /(primary:debug/answer) HTTP/1.1
Host: another-universe.chal.ctf.westerns.tokyo

## fib_cps_defun.js
//const lam1_fun = (n, k) => x => fib_cps((n-2), lam2_fun(x, k))
const lam1_def = (n, k) => ({
    tag: 'lam1',
    n: n,
    k: k
})

//const lam2_fun = (x, k) => y => k(x+y)
const lam2_def = (x, k) => ({
    tag: 'lam2',

## mini_google_authenticator.php
<?php
// copied from python code at https://stackoverflow.com/a/23221582/3103058
function base32_decode($key) {
  // https://www.php.net/manual/en/function.base-convert.php#122221
  $key = strtoupper($key);
  list($t, $b, $r) = array("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567", "", "");
  foreach(str_split($key) as $c)
    $b = $b . sprintf("%05b", strpos($t, $c));
  foreach(str_split($b, 8) as $c)
    $r = $r . chr(bindec($c));

## plink-plonk.js
/*
Copy this into the console of any web page that is interactive and doesn't
do hard reloads. You will hear your DOM changes as different pitches of
audio.

I have found this interesting for debugging, but also fun to hear web pages
render like UIs do in movies.
*/

const audioCtx = new (window.AudioContext || window.webkitAudioContext)()
	// 3D Dom viewer, copy-paste this into your console to visualise the DOM as a stack of solid blocks.
	// You can also minify and save it as a bookmarklet (https://www.freecodecamp.org/news/what-are-bookmarklets/)
	(() => {
	const SHOW_SIDES = false; // color sides of DOM nodes?
	const COLOR_SURFACE = true; // color tops of DOM nodes?
	const COLOR_RANDOM = false; // randomise color?
	const COLOR_HUE = 190; // hue in HSL (https://hslpicker.com)
	const MAX_ROTATION = 180; // set to 360 to rotate all the way round
	const THICKNESS = 20; // thickness of layers
	const DISTANCE = 10000; // ¯\\_(ツ)_/¯
	; x96 shellcode (x32+x64) by aaaddress1@chroot.org
	; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
	section .text
	bits 32
	_main:
	call entry
	entry:
	mov ax, cs
	sub ax, 0x23
	jz retTo32b
	#!/bin/bash

	#
	# Author: seadog007
	# Date: 2021/01/03
	# Description: Adding DHCP Lease & Static ARP & IP Whitelist from phpIPAM
	# which makes phpIPAM actually managed IPs
	#

	ipam='192.168.1.5'
	$ nc another-universe.chal.ctf.westerns.tokyo 80
	GET /(primary:debug/answer) HTTP/1.1
	Host: another-universe.chal.ctf.westerns.tokyo
	//const lam1_fun = (n, k) => x => fib_cps((n-2), lam2_fun(x, k))
	const lam1_def = (n, k) => ({
	tag: 'lam1',
	n: n,
	k: k
	})

	//const lam2_fun = (x, k) => y => k(x+y)
	const lam2_def = (x, k) => ({
	tag: 'lam2',
	<?php
	// copied from python code at https://stackoverflow.com/a/23221582/3103058
	function base32_decode($key) {
	// https://www.php.net/manual/en/function.base-convert.php#122221
	$key = strtoupper($key);
	list($t, $b, $r) = array("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567", "", "");
	foreach(str_split($key) as $c)
	$b = $b . sprintf("%05b", strpos($t, $c));
	foreach(str_split($b, 8) as $c)
	$r = $r . chr(bindec($c));
	/*
	Copy this into the console of any web page that is interactive and doesn't
	do hard reloads. You will hear your DOM changes as different pitches of
	audio.

	I have found this interesting for debugging, but also fun to hear web pages
	render like UIs do in movies.
	*/

	const audioCtx = new (window.AudioContext \|\| window.webkitAudioContext)()