Nathan N noproto

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

Whether you're trying to give back to the open source community or collaborating on your own projects, knowing how to properly fork and generate pull requests is essential. Unfortunately, it's quite easy to make mistakes or not know what you should do when you're initially learning the process. I know that I certainly had considerable initial trouble with it, and I found a lot of the information on GitHub and around the internet to be rather piecemeal and incomplete - part of the process described here, another there, common hangups in a different place, and so on.

In an attempt to coallate this information for myself and others, this short tutorial is what I've found to be fairly standard procedure for creating a fork, doing your work, issuing a pull request, and merging that pull request back into the original project.

Creating a Fork

Just head over to the GitHub page and click the "Fork" button. It's just that simple. Once you've done that, you can use your favorite git client to clone your repo or j

	<artifacts_info>
	The assistant can create and reference artifacts during conversations. Artifacts are for substantial, self-contained content that users might modify or reuse, displayed in a separate UI window for clarity.

	# Good artifacts are...
	- Substantial content (>15 lines)
	- Content that the user is likely to modify, iterate on, or take ownership of
	- Self-contained, complex content that can be understood on its own, without context from the conversation
	- Content intended for eventual use outside the conversation (e.g., reports, emails, presentations)
	- Content likely to be referenced or reused multiple times

	"""
	31-round sha256 collision.

	Not my research, just a PoC script I put together with numbers plugged in from the slide at
	https://twitter.com/jedisct1/status/1772647350554464448 from FSE2024

	SHA256 impl follows FIPS 180-4
	https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
	"""

	for i in {1..10000};
	do
	curl "https://api.github.com/users/KevinHock/following?per_page=100&page=${i}" -s \| tee -a github.ids; # KevinHock follows everyone
	sleep 300; # sleep 5 min between pages or rate limit kicks in soon
	done;
	cat github.ids \| grep true -B 18 -A 1 \| grep login \| cut -d '"' -f 4 \| xargs -I {LOGIN} curl "https://api.github.com/users
	/{LOGIN}" -s \| sed -e 's/}/},/' > github_admins.txt
	cat github_admins.txt;