2024-04-03 20:58:26

overall useful website/tools

– web –

– rev –

  • disasm.pro to disassemble bytecode online
  • fernflower to decompile java bytecode, made by JetBrains
  • angr to get solution of input or sth

–misc –

  • z3 to find solution under constrains
  • dcode to decode anything
  • CyberChef combine multiple tools to do sth
  • pylingual decompiling pyc file

–forensics / osint –

– crypto –

– pwn –

– I don’t know where to put –

  • gtfobins to search for binaries that can be used to get root shell under certain conditions
  • revshells.com to generate reverse shell code
  • PEASS-ng to enumerate windows/linux privilege escalation


  • add . dot at the end of domain to bypass simple check example.com.

DOM Clobbering


  • CSS Font Cascading People can use unicode-range to do cascading.
  • Font side-channel Font Review BuckeyeCTF 2023 - use linguistics to make page overflow in order to leak the flag char by char.
  • STTF reference, basically, use :target in style in order to send request if the scroll to text fragment part is matched.

NoSQL Injection


JSDom jail

CORS bypass

  • makes-sense ASIS-ctf-qual 2023 use shadow dom to let inside iframe access parent‘s document by shadowContainer.attachShadow. Basically is let e.source in window.onmessage = e=>(e.source == top && e.source.length == 0 ? eval(e.data) : '') is not undefined.

CSP bypass

JavaScript Jail

  • inside of function: use var process=this.constructor.constructor("return process;")(); to get process object. Then use var require = global.require || global.process.mainModule.constructor._load;, the script here spawnSync.js, or even this.require to get RCE.


find solution under constrains

Use z3-solver, e.g. based emoji hackasat qual 2023

python jail / pyjail

  • starship CrewCTF 2023 character limit: @^_":,. and acsii letters; type: @__build_class__.__self__.exec\r@__build_class__.__self__.input\rclass\x0cx:pass.
  • Bonus_The_Revenge_of_Checkpass_1 BxMCTF 2023 eval(inp, {'__builtins__': None}, None); type: ().__class__.__bases__[0].__subclasses__().
  • Username_Decorator BxMCTF 2023 Flask escape; type: ().__class__.__bases__[0].__subclasses__().
  • 'f{32:c}' can format an int to char (equalivant to chr(32)).
  • use other fonts to bypass alphabet filter (e.g. use Italic alphabet from ItalicTextGenerator and use long underline like _𝘤𝘭𝘢𝘴𝘴_) Zero uoftctf-2024.
  • PWN pyjail
    • use ctype to override the definition of function (e.g. os._exit) diligent-auditor DiceCTF-2024-qual
    • use this behavior to do PWN IRS DiceCTF-2024-qual
    • use UAF in field like issues#91153 audit hook POC
  • use vars() and |= to add functions into globals(concat two dictionaries): x=vars();x|=vars(list)
  • use match to get member method or properties pep-0636: cast dict(items=items1): print(items1())
  • use gc module to get locals inside function or deleted object


Angr to find solution for input

2024-04-03 20:58:26