Skip to content

Instantly share code, notes, and snippets.

@BenGardiner
BenGardiner / Advent Calendar of Advanced Cyber Fun 2018 Writeup.md
Last active December 27, 2018 13:18
Advent Calendar of Advanced Cyber Fun 2018 Writeup

This is a writeup of the solutions to the Advent Calendar of Advanced Cyber Fun 2018. If you're not familiar, this is an advent-themed challenge so there was one new challenge each day from Dec 1st to Dec 24th. The challenges focused on exotic networking features. Usually, successfully connecting would win but sometimes challenge-response was necessary too.

The Advent Calendar of Advanced Cyber Fun 2018 was organized by @_takeshix and @lod108 and a big special thanks to them -- this was a ton of xmas fun!

Port 1

I'll quote the challenge description that they posted on https://xmas.rip here:

Sometimes it's hard to remember all of those silly port numbers. And there is this restriction of 65535 ports, but santa wanted to host this year's wishlist protocol on TCP 24122018! Wouldn't it be great to access services based on their name, and not their port number?! So Santa is hosting the wishlist service with the help of old school technology: RFC1078. Send him your wishlist!

#!/usr/bin/env python3
# encoding: utf-8
# Licensed under GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt
# requires
# - wmctrl
# - vlc
# - irssi
# - terminal emulator with '-e' switch
# - bwm-ng (optional for bandwith display)
#!/usr/bin/env python2
#
# OpenSSL heap overflow PoC
# Found by ZDI - ZDI-14-173 // CVE-2014-0195
# PoC by @_hugsy_
#
# Ref: https://tools.ietf.org/html/rfc6347
#
import socket, struct
@epixoip
epixoip / cloudflare_challenge
Last active December 2, 2023 11:53
How I obtained the private key for www.cloudflarechallenge.com
I wasn't first to get the key. Nor was I second, third, or even fourth. I'm probably not even the
10th to get it (ok, looks like I was the 8th.) But I'm happy that I was able to prove to myself
that I too could do it.
First, I have to admit I was a skeptic. Like the handful of other dissenters, I had initially
believed that it would be highly improbable under normal conditions to obtain the private key
through exploiting Heartbleed. So this was my motivation for participating in Cloudflare's
challenge. I had extracted a lot of other things with Heartbleed, but I hadn't actually set out to
extract private keys. So I wanted to see first-hand if it was possible or not.
@joernchen
joernchen / bounty.txt
Created February 22, 2014 16:17
Bounty writeup
GitHub RCE by Environment variable injection Bug Bounty writeup
Disclaimer: I'll keep this really short but I hope you'll get the key points.
GitHub blogged a while ago about some internal tool called gerve:
https://github.com/blog/530-how-we-made-github-fast
Upon git+sshing to github.com gerve basically looks up your permission
on the repo you want to interact with. Then it bounces you further in
another forced SSH session to the back end where the repo actually is.