Skip to content

Instantly share code, notes, and snippets.

View x0nu11byt3's full-sized avatar

xØnu11byt3 x0nu11byt3

94 followers · 270 following
View GitHub Profile
@Siguza
Siguza / sandbox_spawn.c
Created August 28, 2025 05:15
sandbox-exec but for builtin profiles
#include <spawn.h>
#include <stdint.h>
#include <stdio.h>
extern char **environ;
typedef struct
{
uint32_t version;
uint32_t size;
@farisv
farisv / rwctf-5th-dark-portal-writeup.md
Last active March 10, 2026 05:04
Real World CTF 5th (2023): Dark Portal Writeup

Real World CTF 5th (2023): Dark Portal Writeup

I participated in the Real World CTF 5th with new team SKSD and got the 12th place, enough to get the merchandise prize this year. Usually top 12 of Real World CTF got invited to China for final, but this year's competition is online only.

This is the write-up of one of the web challenges, Dark Portal.

Problem

@stong
stong / tee.py
Last active April 29, 2022 04:48
Duplicate pwntools process output to stdout with tee(2) syscall
import sys
import os
from pwn import *
def tee_process(p):
import threading
import ctypes
libc = ctypes.CDLL(None)
splice = libc.splice
tee = libc.tee
@Siguza
Siguza / phoenix.c
Last active March 7, 2026 23:37
Phœnix exploit / iOS 9.3.5
// Bugs by NSO Group / Ian Beer.
// Exploit by Siguza & tihmstar.
// Thanks also to Max Bazaliy.
#include <stdint.h> // uint32_t, uint64_t
#include <stdio.h> // fprintf, stderr
#include <string.h> // memcpy, memset, strncmp
#include <unistd.h> // getpid
#include <mach/mach.h>
#include <stdlib.h>
@farazsth98
farazsth98 / harekaze_mini_ctf_2020.md
Last active February 27, 2021 05:24
Harekaze mini CTF 2020

I played Harekaze Mini CTF 2020 for about 3 hours this weekend. The pwn challenges were nice (I especially enjoyed nm-game-extreme). Here are some short writeups.

shellcode

The program just tells you to provide shellcode that will execute execve("/bin/sh", NULL, NULL). It gives you the address of the "/bin/sh" string, so you just create shellcode to do the job and send it:

#!/usr/bin/env python3

from pwn import *
@stong
stong / cheese.cpp
Last active August 28, 2024 01:26
pbctf 2020: Jiang Ying's Disasssembler author's writeup
// TLDR:
// Whitebox 128-bit rsa with e=17. Input is multiplied by a constant before the RSA
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
extern "C" void __fastcall rsa_encrypt (uint8_t* in, uint8_t* out);
// 1. Func is ~90kb, and control flow is simple. Should be decompilable just extremely SLOW.
@geohot
geohot / prius_kf.py
Last active March 9, 2021 07:36
Prius Steering Angle Kalman Filter
%pylab inline
%load_ext autoreload
%autoreload 2
from tools.lib.route import Route
from tools.lib.logreader import LogReader
r,num = Route("ce2fbd370f78ef21|2020-11-27--16-27-28"),10
#r,num = Route("f66032c2b5aa18ac|2020-12-04--09-33-54"),30
alr = []
for n in range(num-1, num+5):
@LiveOverflow
LiveOverflow / hireme.ipynb
Created November 20, 2020 10:46
Hire me!!!!!!!!
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@byt3bl33d3r
byt3bl33d3r / eventvwr_crash.py
Created September 18, 2020 08:12
Crash the Windows Event Log service remotely (needs admin privs)
# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)
@Siguza
Siguza / assym.c
Created August 26, 2020 15:08
Apple Silicon kernels
#include <fcntl.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <mach-o/loader.h>
#include <mach-o/nlist.h>
int main(int argc, const char **argv)
{
if(argc != 2)