Skip to main content

Β· One min read
Clifford

16 waking hours Γ· 10 minutes = 96

10 minutes is ~1% of your day.

- credit to Taylor Troesh

When the phone scrolling lasts for 10 minutes, or low-priority yak shaving adds up to 10 minutes, that's one percent of your day spent. That's not necessarily a bad thing or a good thing, but make sure it's a thing you want to have spent one percent of your day on.

You only have this many 10 minute moments.

πŸ₯±  πŸ“±  πŸͺ₯  🍳  πŸ₯  πŸ“±
β˜•  πŸ§₯  πŸ’»  πŸ’»  πŸ’»  🚽
πŸ’¬  πŸ“§  🎧  πŸ’»  πŸ“ž  πŸ’»
πŸ’»  πŸ’»  πŸ’»  πŸ’»  β˜•  πŸ’»
πŸ“ž  πŸ’»  πŸ“±  🎧  πŸ’»  πŸ’»
πŸ’¬  πŸ’»  πŸ“±  🍱  🍱  πŸ“±
β˜•  πŸ’»  πŸ“ž  πŸ’»  πŸ’»  🎧
🚽  πŸ“±  πŸ’»  πŸ’»  πŸ“§  πŸ’»
πŸ’»  πŸ’»  πŸ’»  πŸ’»  πŸ’»  πŸ’»
πŸ’»  πŸ’¬  πŸ₯ͺ  πŸ“±  πŸ’»  πŸš—
πŸ›’  πŸ›’  πŸš—  πŸ₯  πŸ₯  πŸƒ
πŸƒ  πŸ₯  πŸ₯  πŸ₯  πŸ‹οΈ  πŸ‹οΈ
πŸ‹οΈ  πŸ‹οΈ  🧘  🧘  πŸš—  πŸš—
πŸ›  🍲  🍲  πŸ“Ί  πŸ“Ί  πŸ“±
πŸ“Ί  πŸ’»  🚽  πŸ’»  πŸ’»  πŸ’»
πŸͺ₯  πŸ“–  πŸ“–  πŸ“–  πŸ“–  πŸ›Œ

Many minutes, but few moments.

Β· 4 min read
Clifford

Summary​

Hash extension allows us to enter whatever cookies we choose, without knowledge of the secret, and still pass the website’s checks. Since the cookie is unserialized, we can inject arbitrary php objects into the server. By injecting a Post object, we know it’s destroy method will be called. This method has been redefined to output the Post’s fields in HTML comments after parsing them with the class Filter. The Filter operates by running the given text through preg_replace calls with stored params for match and substitution. As we have injected the object, we have complete control over these stored params, and can thus call the preg_replace with the β€˜e’ flag, allowing us to do arbitrary command execution. By catting the necessary file at /home/daedalus/flag.txt, and substituting all of the Post’s text with the file’s contents, we can print the file’s contents in an HTML comment, and thus get the flag.

Β· 3 min read
Clifford

Summary​

This problem is a simple XSS challenge. Using persistent XSS in a newly created page, we can steal the admin’s cookies should they choose to visit the page. The β€œReport to Moderator” button says, β€œReport this page, and a moderator will personally review it in the next few minutes!” so it is a safe assumption that we can have an admin view our injected code.

Β· 3 min read
Clifford

Summary​

By unioning hard coded values with the prewritten select statement, we can manually control exactly what data the query returns, and thus meet the program’s requirements.

SELECT * FROM users WHERE username='asdf' UNION SELECT 1337 AS a, 1337 AS b, 1337 AS c, 1337 AS d, 1337 AS e LIMIT 1 -- '

(with β€œ1337” entered as the password)