0xbb

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

0xbb

diff -uprN -X linux-3.18-original/Documentation/dontdiff linux-3.18-original/drivers/platform/x86/apple-gmux.c linux-3.18-patched/drivers/platform/x86/apple-gmux.c
--- linux-3.18-original/drivers/platform/x86/apple-gmux.c	2014-12-07 23:21:05.000000000 +0100
+++ linux-3.18-patched/drivers/platform/x86/apple-gmux.c	2014-12-14 22:14:54.925688939 +0100
@@ -22,6 +22,10 @@
 #include <linux/delay.h>
 #include <linux/pci.h>
 #include <linux/vga_switcheroo.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/fs.h>