Writeup – TSULOTT (meepwn)

Over the past weekend, I spent a little time participating in the meepwn CTF. Unfortunately, during the time allocated, I was only able to solve a single challenge, and the simplest challenge at that. On the bright side, this is a PHP deserialize vulnerability, which I have not yet written about.

My writeup is below.

TSULOTT

The TSULOTT challenge was presented as a web page, which appears as follows:

To use this website, you can enter six numbers in the “code” section below, and generate a base64-encoded “code”. You then enter this “code” into the top input box – if you guessed six random numbers correctly, you presumably get the flag. My first step was to inspect the source code:

Making a request with is_debug spits out formatted source in the page. You can download the source here.

The logical flow of the vulnerable code is as follows:

  • A base64 “code” is submitted into $obj
  • Six random numbers are generated, stored into the $obj->jackpot property
  • The $obj->enter property is compared with $obj->jackpot
  • If the two are equal, you get a flag.

An “object” class is also defined in the source code:

class Object 
{ 
 var $jackpot;
 var $enter; 
}

The path to explotiation lies in creating a fake object, called something else (not “Object”, which seems to cause PHP to use it’s own class definition), which passes the “$obj->enter === $obj->jackpot” check, but doesn’t allow $obj->jackpot to be overwritten. Helpfully, PHP allows us to define “protected” properties, which cannot be modified, as per below:

class Test{
 protected $_data = array(
 "jackpot" => "12345"
 );
 var $enter;
}

We can then quickly create our own PHP script, which instantiates a “test” object, seeds the “$enter” variable, serializes it and base64 encodes it, revealing the flag:

You can download the solution here.

As always, I’d like to thank the meepwn team for creating this CTF – this challenge was a lot of fun, as was the “Be Human” challenge which I was unable to solve (text CAPTCHA recognition) in the allocated time.

See you all in the SHA2017 CTF!

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s