Tools

nvd_feed_api

A simple ruby API/library for managing NVD CVE feeds. The API will help you to download and manage NVD Data Feeds, search for CVEs, build your vulnerability assessment platform or vulnerability database.

Flask Session Cookie Decoder/Encoder

A simple python script that let you encode and decode a Flask session cookie.

RABID

A CLI tool and library allowing to simply decode all kind of BigIP cookies.

HAITI

A CLI tool to identify the hash type of a given hash.

ctf-party

A library to enhance and speed up script/exploit writing for CTF players (or security researchers, bug bounty hunters, pentesters but mostly focused on CTF) by patching the String class to add a short syntax of usual code patterns.

itdis

Is a small tool that allows you to check if a list of domains you have been provided is in the scope of your pentest or not.

PixelChart

Map binary data into a beautiful chart.

VBSmin

VBScript minifier CLI tool and library

Exploits

Umbraco RCE

Umbraco CMS 7.12.4 - (Authenticated) Remote Code Execution

AtMail Exploit toolchain

AtMail Email Server Appliance 6.4 - Exploit toolchain (XSS > CSRF > RCE)

OpenEMR RCE

OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution

Bludit Auth BF mitigation bypass

Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass

Other projects

Offensive Security Exam Report Template in Markdown

Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report.

XSS classification model

XSS classification model - Types of Cross-Site Scripting

Challenges

Men in black box

A web challenge that was available during SigSegV1 CTF (2018). It was a Boolean-based Blind SQLi with WAF.

Sensory Domination Droid

A programming challenge that was available during SigSegV1 CTF (2018). It was an IRC bot, the goal was to parse private IRC messages.

Fat

A web challenge that was available during SigSegV2 CTF (2019). It was a Slim SSTI combined with a Sinatra/Rack session cookie forgery.

Image Checker 1

A web challenge that was available during SigSegV2 CTF (2019). It was a XXE OOB via SVG rasterization and a local file read.

Image Checker 2

A web challenge that was available during SigSegV2 CTF (2019). It was a XXE OOB via SVG combined with a SSRF port scan and a SSRF localhost bypass.

10 questions about my system

A forensics challenge that was available during SigSegV2 CTF (2019). It was a Volatility profile creation and 10 basic questions on the memory dump.

Une porte peut en cacher une autre

A web challenge that was available during SigSegV2 CTF (2019). It was a b374k.php webshell with c99 style PHP backdoor authentication bypass.

noraj secret zone

A web/misc/reverse/network challenge that was available during SigSegV2 CTF (2019). It was an eepsite (I2P website) containing obfuscated JavaScript.

The long way

A misc challenge that was available during SigSegV2 CTF (2019). It was a extra long file path on exFAT FS, scripting was mandatory to retrieve the whole path.

Drugs: crack & hash

A cracking challenge that was available during SigSegV2 CTF (2019). Password hash cracking with custom dictionary/wordlist. There were 10 hashes to crack.

Matz 2.3

A reverse challenge that was available during SigSegV2 CTF (2019). Ruby bytecode reverse engineering/disassembly making use of RubyVM class.