Skip to content

Instantly share code, notes, and snippets.

View stypr's full-sized avatar
🆎**********************************
Be Lazy~

stypr

🆎**********************************
Be Lazy~
568 followers · 126 following
View GitHub Profile
@stypr
stypr / README.md
Last active April 19, 2021 08:15
BingoCTF 2020: Web - Temporary [Easy]

web: temporary writeup

There are two instances namely public and internal. We can get the address of public by leaking $_SERVER['REMOTE_ADDR"] in phpinfo.php?phpinfo

$_SERVER['SERVER_NAME']	_
$_SERVER['SERVER_PORT']	80
$_SERVER['SERVER_ADDR']	172.21.0.2
@stypr
stypr / README.md
Last active April 19, 2021 08:15
BingoCTF 2020: Web - simpleboard [Medium]

web: simpleboard writeup

Let's check the main page's source code by view-source (view-source:http://web1.bingo.hypwnlab.com:12044/)

As wee see in the following, server loads an image from a website.

        <h3 class="text-center text-white pt-5"><img src="/?image=6c6f676f.png"></h3>

Let's take a look at the function in init.php that loads the image.

@stypr
stypr / README.md
Last active November 24, 2021 19:43
BingoCTF 2020: Web - Guestbook [Hard]

web: guestbook writeup

Checking configs/worker

docker-compose.yml

Docker-compose is build in a way that

  1. private has flag in /flag
  2. redis / worker are used. this is only used for admin to check the challenge.
@stypr
stypr / README.md
Last active May 23, 2022 13:13
Finding an unseen SQL Injection by bypassing escape functions in mysqljs/mysql
@stypr
stypr / exploit.js
Last active May 30, 2022 02:41
DEFCON 30 discoteq exploit PoC
// run before send
const originalSend = WebSocket.prototype.send;
window.sockets = [];
WebSocket.prototype.send = function(...args) {
if (window.sockets.indexOf(this) === -1)
window.sockets.push(this);
return originalSend.call(this, ...args);
};
// run after send
@stypr
stypr / liveart.md
Created June 12, 2022 10:13
picoCTF 2022 liveart / noted exploit

TL;DR

Exploiting a react app by customElement and is=is pollution

Solution

  1. There is a bug with the hydration, so we can pollute prop of the <img> tag.
  2. Error message is triggered when the window.width < 600. Interestingly, location.hash fills the props upon displaying the error message.
  3. When the error message is shown and you try to resize your window.width > 600, <img> is shown again.
  4. Since there is a dehydration bug, prop gets filled with the existing location.hash, making it possible to add additional attributes on the `` tag.
@stypr
stypr / polluted_web.js
Last active May 1, 2024 07:54
maildev preauth RCE 0day
'use strict'
/**
* MailDev - routes.js
*/
const express = require('express')
const compression = require('compression')
const pkg = require('../package.json')
const { filterEmails } = require('./utils')
@stypr
stypr / configure-ipv6.service
Last active February 22, 2025 23:02
Oracle OCI IPv6 autodiscovery
# /etc/systemd/system/configure-ipv6.service
[Unit]
Description=Configure IPv6 address and Add IPv6 Default Route via Script
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/configure_ipv6.sh
@stypr
stypr / cf.py
Created February 22, 2025 22:59
Cloudflare 4.0.0 Automatic DDNS renewal
#!/usr/bin/python3 -u
# make sure to set crontab
# 0 0 * * * python3 /root/cf.py
import sys
import logging
from collections import Counter
import requests
import cloudflare