Skip to content

Instantly share code, notes, and snippets.

@bahorn

bahorn/bggp6-curlrc.md

Last active October 22, 2025 04:18
Show Gist options
  • Save bahorn/4a0d8505d84e7acab21358c39fdab4a7 to your computer and use it in GitHub Desktop.
Save bahorn/4a0d8505d84e7acab21358c39fdab4a7 to your computer and use it in GitHub Desktop.
Download ZIP
BGGP6 .curlrc
Raw
bggp6-curlrc.md

.curlrc for BGGP 4 + 5 (62 bytes)

.curlrc is a config file for curl that lets you configure options across invocations, and by default read from $HOME/.curlrc

Entry

Plaintext (be aware of a stray newline):

-Lo6
url=file:/proc/self/cwd/.curlrc
url=binary.golf/5/5
url=a

Base64:

LUxvNgp1cmw9ZmlsZTovcHJvYy9zZWxmL2N3ZC8uY3VybHJjCnVybD1iaW5hcnkuZ29sZi81LzUKdXJsPWE=

Save that to .curlrc in your home directory, then just run curl from the same directory. You can also use alternative directories by setting the $HOME envvar to where you want.

Expected Output

$ HOME=`pwd` curl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    62  100    62    0     0   672k      0 --:--:-- --:--:-- --:--:--  672k
Another #BGGP5 download!! @binarygolf https://binary.golf
curl: (6) Could not resolve host: a
$ echo $?
6
$ shasum .curlrc 6
e664df8af2ac8d6bcef04ad9d7654012ab8e2d97  .curlrc
e664df8af2ac8d6bcef04ad9d7654012ab8e2d97  6

Tricks

  • -L to save having to include https:// in the BGGP5 url
  • writing the BGGP5 file to stdout
  • reading /proc/self/cwd/.curlrc from the local system to get a copy of the config, then writing it to 6
  • Providing an unresolved domain "a", so curl will return 6
  • truncating (truncate -s -1 .curlrc if you copypaste) the stray null byte at the end :)

These should be enough to satify BGGP4 and 5, and get the right return code for BGGP6.

Notes

.curlrc's seem useful for persistence, though I've not seen the trick used before. Could use them to write to something source'd by your shell or whatever. Most I could find was Daniel Stenberg mentioning an invalid bug report using it.

Can also imagine a limited file-write primitive and an SSRF bug chain being potentially a thing, something like this:

curl -o$USER_FILE_NAME $USER_URL
/bin/do_something $USER_FILE_NAME output.txt
curl -F '[email protected]' example.com

Though the requirement for $USER_FILE_NAME to be written to $HOME is gonna be rare.

Was using the return 6 by giving an unresolved host in an in-progress ELF64 entry. Useful after an execve to curl. Another trick is open()'ing /proc/self/exe, execve()'ing curl, and reading /proc/self/fd/3 to get curl to copy your original binary. This works as open file descriptors keep the same number in child processes. However this doesn't seem to save space over a creat()/write() combo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment