Skip to content

Instantly share code, notes, and snippets.

@0xbb
0xbb / writeup.md
Created December 31, 2021 21:18 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

diff -uprN -X linux-3.18-original/Documentation/dontdiff linux-3.18-original/drivers/platform/x86/apple-gmux.c linux-3.18-patched/drivers/platform/x86/apple-gmux.c
--- linux-3.18-original/drivers/platform/x86/apple-gmux.c 2014-12-07 23:21:05.000000000 +0100
+++ linux-3.18-patched/drivers/platform/x86/apple-gmux.c 2014-12-14 22:14:54.925688939 +0100
@@ -22,6 +22,10 @@
#include <linux/delay.h>
#include <linux/pci.h>
#include <linux/vga_switcheroo.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/fs.h>