Skip to content

Instantly share code, notes, and snippets.


takeshix takeshixx

View GitHub Profile
BenGardiner / Advent Calendar of Advanced Cyber Fun 2018
Last active Dec 27, 2018
Advent Calendar of Advanced Cyber Fun 2018 Writeup
View Advent Calendar of Advanced Cyber Fun 2018

This is a writeup of the solutions to the Advent Calendar of Advanced Cyber Fun 2018. If you're not familiar, this is an advent-themed challenge so there was one new challenge each day from Dec 1st to Dec 24th. The challenges focused on exotic networking features. Usually, successfully connecting would win but sometimes challenge-response was necessary too.

The Advent Calendar of Advanced Cyber Fun 2018 was organized by @_takeshix and @lod108 and a big special thanks to them -- this was a ton of xmas fun!

Port 1

I'll quote the challenge description that they posted on here:

Sometimes it's hard to remember all of those silly port numbers. And there is this restriction of 65535 ports, but santa wanted to host this year's wishlist protocol on TCP 24122018! Wouldn't it be great to access services based on their name, and not their port number?! So Santa is hosting the wishlist service with the help of old school technology: RFC1078. Send him your wishlist!

#!/usr/bin/env python3
# encoding: utf-8
# Licensed under GPLv3
# requires
# - wmctrl
# - vlc
# - irssi
# - terminal emulator with '-e' switch
# - bwm-ng (optional for bandwith display)
#!/usr/bin/env python2
# OpenSSL heap overflow PoC
# Found by ZDI - ZDI-14-173 // CVE-2014-0195
# PoC by @_hugsy_
# Ref:
import socket, struct
View cloudflare_challenge
I wasn't first to get the key. Nor was I second, third, or even fourth. I'm probably not even the
10th to get it (ok, looks like I was the 8th.) But I'm happy that I was able to prove to myself
that I too could do it.
First, I have to admit I was a skeptic. Like the handful of other dissenters, I had initially
believed that it would be highly improbable under normal conditions to obtain the private key
through exploiting Heartbleed. So this was my motivation for participating in Cloudflare's
challenge. I had extracted a lot of other things with Heartbleed, but I hadn't actually set out to
extract private keys. So I wanted to see first-hand if it was possible or not.
View bounty.txt
GitHub RCE by Environment variable injection Bug Bounty writeup
Disclaimer: I'll keep this really short but I hope you'll get the key points.
GitHub blogged a while ago about some internal tool called gerve:
Upon git+sshing to gerve basically looks up your permission
on the repo you want to interact with. Then it bounces you further in
another forced SSH session to the back end where the repo actually is.
You can’t perform that action at this time.