OrionReed

// 3D Dom viewer, copy-paste this into your console to visualise the DOM as a stack of solid blocks.
// You can also minify and save it as a bookmarklet (https://www.freecodecamp.org/news/what-are-bookmarklets/)
(() => {
  const SHOW_SIDES = false; // color sides of DOM nodes?
  const COLOR_SURFACE = true; // color tops of DOM nodes?
  const COLOR_RANDOM = false; // randomise color?
  const COLOR_HUE = 190; // hue in HSL (https://hslpicker.com)
  const MAX_ROTATION = 180; // set to 360 to rotate all the way round
  const THICKNESS = 20; // thickness of layers
  const DISTANCE = 10000; // ¯\\_(ツ)_/¯

maple3142

Running tailscaled

Download static tailscaled binary here

TAILSCALED_SOCKET="/tmp2/$USER/tailscaled.sock"
TAILSCALED_STATE="tailscaled.state"
./tailscaled --tun=userspace-networking --state="$TAILSCALED_STATE" --socket "$TAILSCALED_SOCKET"

szymex73

ILIKETRAINS

ILIKETRAINS was a hardware challenge on Google CTF 2022 that involved a logic circuit built with a rail network in OpenTTD which had to be solved with the input bits being the solution.

For the challenge, we were given just the savegame file for the game.

In this writeup, I'll take a similar approach to what LiveOverflow did in his minetest challenge writeup for Google CTF 2019 tracing the logic circuit from the output to the inputs while trying to explain most of the steps I took along the way. The two challenges are very similar to each other (after the CTF concluded the organizers said that they've even used the same tool to generate the map, with some adaptations for a different game) but I'm sure this writeup will be helpful for someone anyway.

Because this writeup is pretty long since I tried to keep it detailed, here are some shortcuts to skip to rele

loknop

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

joepie91

The Freenode resignation FAQ, or: "what the fuck is going on?"

IMPORTANT NOTE:

It's come to my attention that some people have been spamming issue trackers with a link to this gist. While it's a good idea to inform people of the situation in principle, please do not do this. By all means spread the word in the communities that you are a part of, after verifying that they are not aware yet, but unsolicited spam is not helpful. It will just frustrate people.

Update 3 (May 24, 2021)

A number of things have happened since the last update.

aaaddress1

; x96 shellcode (x32+x64) by [email protected]
; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm
section .text
bits 32
_main:
call entry
entry:
mov ax, cs
sub ax, 0x23
jz retTo32b

seadog007

#!/bin/bash

#
# Author: seadog007
# Date: 2021/01/03
# Description: Adding DHCP Lease & Static ARP & IP Whitelist from phpIPAM
#              which makes phpIPAM actually managed IPs
#

ipam='192.168.1.5'

bluepichu

$ nc another-universe.chal.ctf.westerns.tokyo 80
GET /(primary:debug/answer) HTTP/1.1
Host: another-universe.chal.ctf.westerns.tokyo

koru1130

//const lam1_fun = (n, k) => x => fib_cps((n-2), lam2_fun(x, k))
const lam1_def = (n, k) => ({
    tag: 'lam1',
    n: n,
    k: k
})

//const lam2_fun = (x, k) => y => k(x+y)
const lam2_def = (x, k) => ({
    tag: 'lam2',

Cojad

<?php
// copied from python code at https://stackoverflow.com/a/23221582/3103058
function base32_decode($key) {
  // https://www.php.net/manual/en/function.base-convert.php#122221
  $key = strtoupper($key);
  list($t, $b, $r) = array("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567", "", "");
  foreach(str_split($key) as $c)
    $b = $b . sprintf("%05b", strpos($t, $c));
  foreach(str_split($b, 8) as $c)
    $r = $r . chr(bindec($c));