Search results

airsmeller SRC: https://library.m0unt41n.ch/challenges/air-smeller This challenge had a bot component and a leave a review component. It was quiet clear the goal was to achieve XSS, but the inputs were sanitized using DomPurify v19.0.0. At first glance i spent a ton of time looking for other...

flagkeeper SRC: https://library.m0unt41n.ch/challenges/flagkeeper This challenge required us too access the admin's flag in database. It had a fully fletched API worked out, and the main way too obtain the flag would be to use admin's API token to request /api/flag for the flag. So i skimmed...

sentry-as-navigation SRC: https://library.m0unt41n.ch/challenges/sentry-as-navigation This challenge provides a tool too fetch and display certificate information. There is a clear and easy too find vulnerability in the code wich allows to RCE. for entry in san_entries: match =...

lost-pass SRC: https://library.m0unt41n.ch/challenges/lost-pass This challenges requires us to auth as admin, too obtain the flag within the dashboard page. After skimming the code we can see JWT session tokens, a not visible in frontend registration function and so on. This misslead me to...

i SRC: https://library.m0unt41n.ch/challenges/i In this challenge we are very obviously able to inject code into a style tag of the page. Our goal is to obtain an admin session/username to make the server display the flag. The challenge includes a bot, which we can control (make him visit...

office-press SRC: https://library.m0unt41n.ch/challenges/office-press Basically just a normal wordpress installation with a vulnerable plugin installed. Google: CVE-2023-6553 Exploit Find -> https://github.com/Chocapikk/CVE-2023-6553 When working with wp, wp-scan is a great tool, get an api key...

mr-template-man SRC: https://library.m0unt41n.ch/challenges/mr-template-man XSS Injection and RCE via insecure template functionality. OS is wrapped and provided within our templating, which combined with the content XSS results into fully abuseable RCE. @app.route("/", methods=["GET"]) def...

lottery SRC: https://library.m0unt41n.ch/challenges/lottery Blind SQL injection @app.route("/", methods=["GET", "POST"]) def index(): has_guessed = False answer_correct = False if request.method == "POST": has_guessed = True guess = request.form.get("guess", "")...

pawnedhaveibeen SRC: https://library.m0unt41n.ch/challenges/pawnedhaveibeen Source is given, the post form has a command injection trough subprocess in py. @app.route('/check', methods=['POST']) def check_pawn(): username_or_email = request.form['username_or_email'] mysql_username =...

Calculator SRC: /mnt/ain lib -> https://library.m0unt41n.ch/challenges/calculator Pretty much just a python shell, due too it evalling user input without any sanitization...

Serverless Login SRC: /mnt/ain lib -> https://library.m0unt41n.ch/challenges/serverless-login Like the name indicates there isnt an actual backend, the sqlite3 db is delivered to the frontend combined with the python logic for auth. The main concept is that the flag is encrypted and can only be...

Disclaimer This blog post is for educational and research purposes only. Bypassing anti-cheat mechanisms in online games violates terms of service and can result in bans. Do not attempt to use this knowledge for malicious or unfair gameplay. In addition this information might be outdated once...

The anti-cheat writes the driver to %TEMP%, loads it, and then deletes it. The script catches it in this narrow time window, no kernel debugging or exploit needed. they tried to hide it r make it harder with randomizing filename for whatever reason, soo we using pattern matching NEP* lolz...

TL;DR basic buffer overflows overwriting return addies 2 wiin 1. what are we working with? 64‑bit ELF (ET_EXEC), NX enabled, no PIE ⇒ every address is static Three hidden flag functions in .text: win1() → prints flag1.txt (no args) win2(arg) → prints DEADBEEF.txt (needs one 64‑bit arg)...

TL;DR 0x100byte blob -> lookup table -> SBOX additive key stream, decoding = inverse tble + modular substraction 1. i skimmed the instructions and found an instereting loop 2. right be4 the loop a counter and starting key was inited 3. identified how key is being transformed wrapping...

TL;DR Running the 64‑bit ELF prints only four innocuous lines. In the disassembler you immediately notice ~20 consecutive mov …, imm64 instructions that fill a 160‑byte stack buffers before the first puts. That buffer holds the obfuscated flag. 1. Create an array of 20 Qwords at that address...

All credits too og creator, just fixed the sig for the routine readme tbm https://github.com/0x90sh/vac-moduledump

Ye sup sup, It got hella annoying manually managing multiple nginx server blocks etc. so i created a lil dynamic host reverse proxy abusing docker, its networking, nginx and openresty. Currently all hard coded, only some sqli/xss detection and combination with cloudflare required. Will extend...

Howdy folks, 0x90 here, your friendly neighborhood CISO and occasional bug bounty hunter. Over the past few months, I’ve been on a cyber-adventure through the world of Swiss software giants. And let me tell you, what I found lurking behind their pristine veneers was enough to make even the...

Introduction Creating a robust usermode anti-cheat for the HorizonMW project has been one of the most challenging yet rewarding experiences I've undertaken. Without kernel access, the task became exponentially more complex, as many conventional cheat detection mechanisms rely heavily on...