shigenobuokamoto

[Unit]
Wants=network-pre.target
Before=network-pre.target shutdown.target

[Service]
User=root
ExecStart=/bin/sh -ec '\
  [ -x /usr/bin/wslinfo ] && [ "$(/usr/bin/wslinfo --networking-mode)" = "mirrored" ] || exit 0;\
  echo 1 > /proc/sys/net/ipv4/conf/all/route_localnet;\
  nft add rule ip nat WSLPOSTROUTING "iif \"loopback0\" ip saddr 127.0.0.0/8 ip daddr != 127.0.0.0/8 counter masquerade comment mirrored"\

anonhostpi

# https://gist.github.com/anonhostpi/fe3c88c8371b0a495ff39942d8aeadac

function global:Get-WSLNetMapping {
    # Notify user if Mirroring Mode is not enabled

    param(
        [Alias("d")]
        $Distribution
    )

ashtonmeuser

//bookmarklet-title: Canvas DL
//bookmarklet-about: When playing skribbl.io and someone has made a nice drawing, this lets you download the current drawing as a PNG.

var w = window.wdq || (window.wdq = document.createElement("a"));
var p = /The word was '([^']*)'/g,
    pp = /<span>([^<>]+) is drawing now!/g,
    tt = document.body.innerHTML;
var mm, nn, xx;
while (mm = p.exec(tt)) nn = mm;
while (mm = pp.exec(tt)) xx = mm;

SMUsamaShah

Browser Based

1. Web Wormhole https://webwormhole.io/ https://github.com/saljam/webwormhole
2. ToffeeShare https://toffeeshare.com/
3. FilePizza https://file.pizza/
4. ShareDrop sharedrop.io https://github.com/szimek/sharedrop (SOLD, not recommended, use one of the forks)
   1. A clone SnapDrop snapdrop.net https://github.com/RobinLinus/snapdrop (SOLD, not recommended, use one of the forks)
      1. A fork PairDrop https://pairdrop.net/ https://github.com/schlagmichdoch/pairdrop
5. Instant.io https://instant.io/
6. FileTC https://file.tc/

leesh3288

Sandbox Escape in [email protected] via custom inspect function

Summary

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

Proof of Concept

leesh3288

Sandbox Escape in [email protected] via Promise[@@species]

Summary

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.

Proof of Concept

leesh3288

Sandbox Escape in [email protected]

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

MaxXSoft

FROM ubuntu:20.04

RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y \
  python3 build-essential

WORKDIR /root

terjanq

Postviewer - writeup

Challenge's overview

The rumor tells that adm1n stores their secret split into multiple documents. Can you catch 'em all? https://postviewer-web.2022.ctfcompetition.com

The challenge consisted of an all client-side simple page, i.e. no backend code was involved. A user can upload any file which will be then locally stored in indexedDB. They can preview their files by either clicking on the title or by visiting file's URL, for example https://postviewer-web.2022.ctfcompetition.com/#file-01d6039e3e157ebcbbf6b2f7cb2dc678f3b9214d. The preview of the file is rendered inside a blob created from data: URL. The rendering occurs by sending file's contents to the iframe via postMessage({ body, mimeType }, '*')

Additionally, there is a /bot endpoint which lets players send URLs to an xss-bot imitating another user. The goal is to steal their documents.

satoooon8888

#!/bin/bash -ex

LIBC=$(ls * | grep -P '^(libc\.so\.6|libc-.*\.so)$')

LIBC_DBG_DEB="$(~/package/libc-database/identify $LIBC | sed s/libc6_/libc6-dbg_/g).deb"
if [[ ! -e $LIBC_DBG_DEB ]]; then
	wget http://archive.ubuntu.com/ubuntu/pool/main/g/glibc/$LIBC_DBG_DEB
fi
DEBUGID=$(file $LIBC | grep -Po '(?<=BuildID\[sha1\]=)[0-9a-f]{40}')