I'm not going to be maintaining this document anymore. I'm leaving it as-is since much of the FAQ section is still accurate and has yet to be incorporated into other resources.
Use CanI.RootMy.TV to find an exploit for your TV.
Bruno Bierbaumer 0xbb
loknop
/ writeup.md
Created
December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import paho.mqtt.client as mqtt | |
| import json | |
| client = mqtt.Client() | |
| client.username_pw_set("z2muser", "z2pass") | |
| client.connect("192.168.0.201", 1883) | |
| topic = "zigbee2mqtt/tradfi_alpha/set" | |
| from time import sleep |
Tested with Debian Stretch (Linux 4.3), MSI - Radeon R9 390X Gaming 8G
lspci -v
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Hawaii XT [Radeon R9 290X] (rev 80) (prog-if 00 [VGA controller])
Subsystem: Micro-Star International Co., Ltd. [MSI] Hawaii XT [Radeon R9 290X]
Flags: bus master, fast devsel, latency 0, IRQ 132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff -uprN linux-3.16.1-org/drivers/platform/x86/apple-gmux.c linux-3.16.1-patched/drivers/platform/x86/apple-gmux.c | |
| --- a/drivers/platform/x86/apple-gmux.c 2014-08-14 04:36:35.000000000 +0200 | |
| +++ b/drivers/platform/x86/apple-gmux.c 2014-09-10 17:12:47.000000000 +0200 | |
| @@ -22,6 +22,10 @@ | |
| #include <linux/delay.h> | |
| #include <linux/pci.h> | |
| #include <linux/vga_switcheroo.h> | |
| +#include <linux/seq_file.h> | |
| +#include <linux/uaccess.h> | |
| +#include <linux/fs.h> |