Skip to content

Instantly share code, notes, and snippets.

from http.server import HTTPServer
from http.server import BaseHTTPRequestHandler
import requests
import sys
import re
import base64
import websocket
import time
import threading
import json
meisai = [...document.querySelectorAll('#meisaiTable tbody tr')]
.filter(tr => === '')
.map(tr => ['td')])
.map(tds => {
const date = tds[1].textContent
const content = tds[2].textContent
const price = tds[7].textContent.replaceAll(/\s/gi, '')
return `${date}\t${content}\t\tクレジットカード:ANAゴールドカード\t${price}`


To solve the challenge we need to upload a symlink file in zipfile.

When we upload zipfile, it will be unzipped and then, symlink in zipfile will be deleted. But if the entry name contains ../, symlink will not be deteled.

Therefore we create a symlink entry foo/../bar in zipfile.

tyage / obelix-template.yml
Created September 3, 2023 05:37
Midnight Sun CTF 2023 Finals - Web Obelix
AWSTemplateFormatVersion: 2010-09-09
Description: A kick-ass cloud app for hacker movienights!
Type: String
Default: api-movies
Description: Name of application.
Type: String
Default: prod
const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))
const frame = document.createElement('iframe');
frame.src = `${encodeURIComponent(location.origin)}`;
const frame2 = document.createElement('iframe');
frame2.src = `${encodeURIComponent(location.origin)}`;
frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols')
from websocket import create_connection
from base64 import b64encode, b64decode
import pickle
ticket = 'ticket{}'
ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket])
"MARK": '(',
tyage /
Last active January 12, 2023 08:26
Automatically analyze generated codeql db
rm -rf $REPO_DIR
mkdir -p $REPO_DIR
git clone --depth 1 "$REPO"
curl "$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o
unzip -q
codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download
tyage / solve.html
Last active December 12, 2021 05:56
chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('')
//chars = '_012345678'.split('')
//chars = '9abcdefgh'.split('')
//chars = 'ijklmnopq'.split('')
//chars = 'rstuvwxyz}'.split('')
let prefix = 'SECCON{'
for (let char of chars) {
setTimeout(() => {
let trial = `${prefix}${char}`
// create viewer element
init = () => {
const renderer = document.querySelector('#renderer')
const viewer = document.createElement('div') = `
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
import javascript
import DataFlow
import DataFlow::PathGraph
class SSRFConfiguration extends TaintTracking::Configuration {
SSRFConfiguration() { this = "SSRFConfiguration" }
override predicate isSource(DataFlow::Node source) {
exists(DataFlow::SourceNode req |
isHTTPRequest(req) and