wupco

Don't you think it is a baby challenge?

Bypass the extension check

 Object.keys(req.files).forEach(function(key){
        var filename = req.files[key].name.toLowerCase();
        var position = filename.lastIndexOf('.');
        if (position == -1) {
          return next();
        }
        var ext = filename.substr(position);

wupco

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

wupco

<?php
function bypass_open_basedir(){
    if(!is_dir('/tmp/ab')){
        mkdir('/tmp/ab');
    }
    chdir('/tmp/ab');
    ini_set('open_basedir','..');
    chdir('..');
    chdir('..');
    chdir('..');

wupco

123;
    return 123;
}
extern void *opendir(const char *);
extern void *readdir(void *);
extern void *shmat(int, const void *, int);
typedef struct {
    ino_t d_ino;
    off_t d_off;
    unsigned short d_reclen;

wupco

Echohub

A quick start

The website is very simple, it can output what you input. So I call it Echohub.

But you can easily find a hint when you view the HTML source code.