The website is very simple, it can output what you input. So I call it Echohub.
But you can easily find a hint when you view the HTML source code.
wupco
/ echohub.md
Last active
April 29, 2019 09:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 123; | |
| return 123; | |
| } | |
| extern void *opendir(const char *); | |
| extern void *readdir(void *); | |
| extern void *shmat(int, const void *, int); | |
| typedef struct { | |
| ino_t d_ino; | |
| off_t d_off; | |
| unsigned short d_reclen; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| function bypass_open_basedir(){ | |
| if(!is_dir('/tmp/ab')){ | |
| mkdir('/tmp/ab'); | |
| } | |
| chdir('/tmp/ab'); | |
| ini_set('open_basedir','..'); | |
| chdir('..'); | |
| chdir('..'); | |
| chdir('..'); |
wupco
/ writeup.md
Created
December 31, 2021 02:05
— forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.