-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
59 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # 1024 | ||
|
|
||
| ## Description | ||
|
|
||
| The website is an implementation of the famous 2048 game. There is a page where the user can save the game state in a local file that contains the serialized game state. The user can also load a game state from a file. | ||
|
|
||
| The problem? Well, there is no public source code. | ||
|
|
||
| ## Solution: part 1 (Getting the source code) | ||
|
|
||
| When one see a `?color=blue.css`, the first thing that comes to mind is LFI (Local File Inclusion) and Path Traversal. Basically, whatever is in the color parameter it's downloaded by the server and sent back to the client to be inserted in the style tag of the page. So, if we can make the server download a file that we control, we can get the source code. | ||
|
|
||
| ## Solution: part 2 (Getting the flag) | ||
|
|
||
| Analyzing the source code, we can see that there is an `unserialize` function that per-se is already a vulnerability. But we have no way to exploit it to get code execution. However, we can see that there is a class called `Ranking` that on destruction it will write something that (that we can control) somewhere (that we can control). So we have arbitrary file write. We can only write to files in the directory `/games`, since that directory is made writable to store the ranking. | ||
|
|
||
| The idea is to write a PHP code to print the environment variables (where the flag is) to a `flag.php` file. Then, we can GET from the server the endpoint `/games/flag.php` and get the flag. | ||
|
|
||
| The complete exploit is in the file [script.py](script.py). | ||
|
|
||
| The serialized payload is generated with [script.php](script.php). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # free-as-in-beer | ||
|
|
||
| ## Description | ||
|
|
||
| The website is a todo list. The user can add, edit and delete tasks. There is another page where the user can see the code of the website. | ||
|
|
||
| ## Solution | ||
|
|
||
| The website takes a string from the cookie `todos` and if the first 32 characters are the md5 hash of the second part of the cookie, then the second part is unserialized. | ||
|
|
||
| Then, there is a class called `GPLSourceBloater` that basically prints out a license text and `this->source` (the source code of the website). | ||
|
|
||
| The idea is to craft a serialized object that will print the flag from the `flag.php` file by exploiting the `GPLSourceBloater` class and setting the `source` property to the `flag.php` file. Then, in python we create the cookie with the md5 hash of the serialized object and the serialized object and perform the request getting the flag. | ||
|
|
||
| The complete exploit is in the file [script.py](script.py). | ||
|
|
||
| The serialized payload is generated with [script.php](script.php). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| # lolshop | ||
|
|
||
| ## Solution | ||
|
|
||
| `unserialize()` is called and on the unserialized object the method `toDict()` is called. Then we can pass to the unserialize an object that has the method `toDict()` to get something executed. This class is `Product` that has the `toDict()` method. When called this method will call the inner `getPicture()` method that returns the content of the file specified in the `this->picture` attribute. We can set this attribute to do some path traversal and get the flag. | ||
|
|
||
| The complete exploit is in the file [script.py](script.py). | ||
|
|
||
| The serialized payload is generated with [script.php](script.php). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # metactf | ||
|
|
||
| ## Description | ||
|
|
||
| The website lets us register, login, save the user (will create a file with the serialized user object) and upload a file with the serialized user object that will be unserialized. | ||
|
|
||
| ## Solution | ||
|
|
||
| There is a class `Challenge` that on destruction will call the inner `stop()` method. The `stop()` method will execute the `exec()` with the `this->stop_cmd` as argument. We can serialize a `Challenge` object and upload it to the server. The `stop_cmd` is set to `cat /flag.txt` so we can get the flag by uploading the serialized object. | ||
|
|
||
| The serialized payload is generated with [script.php](script.php). |