Over the past weekend, I spent a little time participating in the meepwn CTF. Unfortunately, during the time allocated, I was only able to solve a single challenge, and the simplest challenge at that. On the bright side, this is a PHP deserialize vulnerability, which I have not yet written about.
My writeup is below.
TSULOTT
The TSULOTT challenge was presented as a web page, which appears as follows:
To use this website, you can enter six numbers in the “code” section below, and generate a base64-encoded “code”. You then enter this “code” into the top input box – if you guessed six random numbers correctly, you presumably get the flag. My first step was to inspect the source code:
Making a request with is_debug spits out formatted source in the page. You can download the source here.
The logical flow of the vulnerable code is as follows:
- A base64 “code” is submitted into $obj
- Six random numbers are generated, stored into the $obj->jackpot property
- The $obj->enter property is compared with $obj->jackpot
- If the two are equal, you get a flag.
An “object” class is also defined in the source code:
class Object
{
var $jackpot;
var $enter;
}
The path to explotiation lies in creating a fake object, called something else (not “Object”, which seems to cause PHP to use it’s own class definition), which passes the “$obj->enter === $obj->jackpot” check, but doesn’t allow $obj->jackpot to be overwritten. Helpfully, PHP allows us to define “protected” properties, which cannot be modified, as per below:
class Test{
protected $_data = array(
"jackpot" => "12345"
);
var $enter;
}
We can then quickly create our own PHP script, which instantiates a “test” object, seeds the “$enter” variable, serializes it and base64 encodes it, revealing the flag:
You can download the solution here.
As always, I’d like to thank the meepwn team for creating this CTF – this challenge was a lot of fun, as was the “Be Human” challenge which I was unable to solve (text CAPTCHA recognition) in the allocated time.
See you all in the SHA2017 CTF!
