I think I don't understand Java very well.
The intended solution looks more easier, but I didn't find it.
I found another complicated solution to solve it ..
The deserialization payloads are generated by using ysomap.
CykuTW
CykuTW
/ My 0CTF 2022 hessian-onlyjdk solution.md
Last active
July 10, 2023 11:21
CykuTW
/ Workstation-Takeover.md
Created
August 10, 2022 06:04
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
CykuTW
/ writeup.md
Created
March 7, 2022 01:21
— forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
CykuTW
/ php_images_webshell_jpg.php
Created
February 25, 2022 03:35
— forked from mozhu1024/php_images_webshell_jpg.php
[PHP Image Webshell] A script to generate php webshell in image #php #image #img #webshell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations | |
| caused by PHP functions imagecopyresized() and imagecopyresampled(). | |
| It is necessary that the size and quality of the initial image are the same as those of the processed | |
| image. | |
| 1) Upload an arbitrary image via secured files upload script | |
| 2) Save the processed image and launch: |
CykuTW
/ makekali.sh
Created
June 12, 2020 12:09
— forked from warecrash/makekali.sh
Convert Debian to Kali
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apt update | |
| apt -y install wget gnupg dirmngr | |
| wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import | |
| gpg --keyserver hkp://keys.gnupg.net --recv-key 44C6513A8E4FB3D30875F758ED444FF07D8D0BF6 | |
| echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" >> /etc/apt/sources.list | |
| gpg -a --export ED444FF07D8D0BF6 | sudo apt-key add - | |
| apt update | |
| apt -y upgrade | |
| apt -y dist-upgrade | |
| apt -y autoremove --purge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask, abort | |
| from flask.views import MethodView | |
| app = Flask(__name__) | |
| class Teapot(MethodView): | |
| methods = ['BREW'] | |
| def brew(self): |
CykuTW
/ My Sort Algorithm
Last active
January 9, 2017 06:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| int mySort(int *numbers, size_t size) { | |
| //sort by increment | |
| int *data = (int*) malloc(size*sizeof(int)); | |
| int *weights = (int*) malloc(size*sizeof(int)); | |
| int i, j, k; |
CykuTW
/ C: Primes Table
Last active
November 6, 2016 09:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //run on Microsoft Visual Studio 2015 Express | |
| #define _CRT_SECURE_NO_WARNINGS | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <time.h> | |
| #define SIZE 1000001 |