I solved two web challenges: required notes and required notes revenge. Although the intened solution is XS-Leak, I found RCE solution even for the revenge challenge!
| #!/bin/sh | |
| source=$1 | |
| dest=$2 | |
| if [ -z "$source" ] || [ -z "$dest" ]; then | |
| echo "Usage: $0 <source> <dest>" | |
| exit 1 | |
| fi | |
| tmpmd="$(mktemp tmp-XXXXXX.md)" | |
| tmphtml="$(mktemp tmp-XXXXXX.html)" |
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
| import string | |
| b64table = string.ascii_uppercase + string.ascii_lowercase + string.digits + "+/" | |
| def to_utf7(s): | |
| ret = "" | |
| for c in s: | |
| n = ord(c) | |
| bits = f"{n:016b}00" |
| # lazyload nvm | |
| # all props goes to http://broken-by.me/lazy-load-nvm/ | |
| # grabbed from reddit @ https://www.reddit.com/r/node/comments/4tg5jg/lazy_load_nvm_for_faster_shell_start/ | |
| lazynvm() { | |
| unset -f nvm node npm npx | |
| export NVM_DIR=~/.nvm | |
| [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" # This loads nvm | |
| if [ -f "$NVM_DIR/bash_completion" ]; then | |
| [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion |