The website is very simple, it can output what you input. So I call it Echohub
.
But you can easily find a hint when you view the HTML source code.
123; | |
return 123; | |
} | |
extern void *opendir(const char *); | |
extern void *readdir(void *); | |
extern void *shmat(int, const void *, int); | |
typedef struct { | |
ino_t d_ino; | |
off_t d_off; | |
unsigned short d_reclen; |
<?php | |
function bypass_open_basedir(){ | |
if(!is_dir('/tmp/ab')){ | |
mkdir('/tmp/ab'); | |
} | |
chdir('/tmp/ab'); | |
ini_set('open_basedir','..'); | |
chdir('..'); | |
chdir('..'); | |
chdir('..'); |
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.