Skip to content

Instantly share code, notes, and snippets.

@0xbb
0xbb / writeup.md
Created December 31, 2021 21:18 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@0xbb
0xbb / coffee.sh
Created October 28, 2016 22:57
i3blocks coffee
#!/bin/bash
while true;
do
xdotool mousemove_relative --sync -- 1 1
xdotool mousemove_relative --sync -- -1 -1
sleep 60
done
@0xbb
0xbb / macbook-mute.sh
Last active November 7, 2024 13:20
Turn off Macbook startup sound - Linux
#!/bin/bash
printf "\x07\x00\x00\x00\x00" > /sys/firmware/efi/efivars/SystemAudioVolume-7c436110-ab2a-4bbb-a880-fe41995c9f82
@0xbb
0xbb / amd-r9-390x.md
Last active February 19, 2016 17:06
AMD R9 390X - Linux Support

AMD R9 390X - Linux Support

Tested with Debian Stretch (Linux 4.3), MSI - Radeon R9 390X Gaming 8G

lspci

lspci -v

01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Hawaii XT [Radeon R9 290X] (rev 80) (prog-if 00 [VGA controller])
	Subsystem: Micro-Star International Co., Ltd. [MSI] Hawaii XT [Radeon R9 290X]
	Flags: bus master, fast devsel, latency 0, IRQ 132
@0xbb
0xbb / ga-z170-hd3p.md
Last active February 25, 2016 13:38
GA-Z170-HD3P - Linux Support

GA-Z170-HD3P (rev. 1.0) - Linux Support

Tested with Debian Stretch (Linux 4.3) + Intel Core i5-6600K

Status:

  • UEFI boot Kernel: works
  • LAN network: works
  • Serial ATA: works
  • CPU Frequency Scaling: works
  • Sleep / Suspend: works
  • Xorg: works
@0xbb
0xbb / sshrand.py
Created November 27, 2015 13:10
Sends a SSH 2.0 message to steal the entropy from your server
#!/usr/bin/env python3
# Usage : ./sshrand.py server port
import socket
import sys
s = socket.socket()
s.connect((sys.argv[1], int(sys.argv[2])))
version = s.recv(4096)
@0xbb
0xbb / vpsmark
Created October 30, 2015 12:09
Small bash script to unscientifically benchmark Virtual Private Server (VPS)
#!/bin/bash
apt-get install -y bzip2 gzip xz-utils php5-cli php5-xdebug wget time build-essential bc
rm -rf vpsmark-test
mkdir vpsmark-test
cd vpsmark-test
model=$(grep '^model name' -m1 /proc/cpuinfo | sed -r "s/model name.*: *(.*)/\1/")
cores=$(grep -c ^processor /proc/cpuinfo)
@0xbb
0xbb / tlsrand.py
Last active October 17, 2015 23:35
Sends a TLS 1.2 Client Hello and extracts the resulting random bytes from the Server Hello
#!/usr/bin/env python3
# Usage: ./tlsrand server port
import socket
import sys
hello = bytearray([3, 3]) # Version: TLS 1.2
hello += bytearray([0]*32) # Random
@0xbb
0xbb / bfi.py
Created May 19, 2015 17:03
Brainfuck interpreter in Python
#!/usr/bin/env python3
# Usage: ./bfi.py source.bf
import sys
with open(sys.argv[1]) as f:
program = f.read()
cells = [0]*30000
ptr = 0
pc = 0
label_stack = []
@0xbb
0xbb / bfi.py
Created May 19, 2015 17:02
Brainfuck interpreter in Python
#!/usr/bin/env python3
# Usage: ./bfi.py source.bf
import sys
with open(sys.argv[1]) as f:
py_program = "import sys;cells = [0]*30000;ptr = 0\n"
level = 0
for i in f.read():
py_program += " "*level
if i == '>':