Skip to content

Instantly share code, notes, and snippets.

View wupco's full-sized avatar
On vacation

{{1+1}} wupco

On vacation
View GitHub Profile
wupco /
Last active August 24, 2022 04:00
realworldctf 2022 - RWDN

Don't you think it is a baby challenge?

Bypass the extension check

        var filename = req.files[key].name.toLowerCase();
        var position = filename.lastIndexOf('.');
        if (position == -1) {
          return next();
        var ext = filename.substr(position);
wupco /
Created December 31, 2021 02:05 — forked from loknop/
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

wupco / MoP.php
Created September 16, 2019 03:16
function bypass_open_basedir(){
wupco / exp.c
Created September 2, 2019 09:49 — forked from icchy/exp.c
Oneline Calc
return 123;
extern void *opendir(const char *);
extern void *readdir(void *);
extern void *shmat(int, const void *, int);
typedef struct {
ino_t d_ino;
off_t d_off;
unsigned short d_reclen;


A quick start

The website is very simple, it can output what you input. So I call it Echohub.

But you can easily find a hint when you view the HTML source code.