Tags: web php 

Rating: 3.0

Trading value was a pretty simple challenge, though we're not sure our solution is the right one ;)

# The Challenge

Trading Value consisted of a page with a graph that seemed to display random values. Looking at the page source we find that the page is sending a request to the server every so often asking for the next value to display (file truncated):

chart: {
type: "spline",
animation: Highcharts.svg, // don't animate in old IE
marginRight: 10,
events: {
load: function() {
// set up the updating of the chart each second
var series = this.series[0];
var formula =
setInterval(function() {
$.get("/default", {
formula: formula,
values: { v1: "STC", v2: "PLA", v3: "SDF", v4: "OCK" }
}).done(function(data) {
var x = new Date().getTime(), // current time
y = parseInt(data);
if (y < 1000)
formula =
else if (y > 1000 && y < 10000)
formula =
else if (y > 10000 && y < 100000)
formula =
formula =
series.addPoint([x, y], true, true);
}, 1000);

The base64 payloads appear to be some sort of math formulae, for example:


- v1, v2, v3 and v4 are sent to the server with the NAME of the object they refer to
- The client also chooses which formula the server uses on them

So first of all what happens if we encode `v4` in base64 and send that? The server responds

object(App\Entity\OCK)#253 (4) {

So `vX` values refer to _actual variables_ in php (a Symfony server). We try to run some shell_exec commands but nothing works, and the errors tell us that the values we send are being inputted into a `new Expression("...")` formula. I didn't know much about Symfony or Expression so I poked around but couldn't find much. I figured i could print any variable in the current scope with values I put in `v1`. I tried `flag` and other values but nothing worked...

Just for fun I decided to set `v1` to `this`. Burp responded with "This message is too large to display". Woooow, ok, time for CURL:

`curl 'https://web1.ctfsecurinets.com/default?formula=djE%3d&values%5Bv1%5D=this' | grep 'Securinets{`

`string(47) "Securinets{T00_Ea5y_T0_U5e_This_Local_variable}"`

And that's it! We were the first team to flag this ;)

Original writeup (https://atomheartother.github.io/cybersecurity/2019/03/24/SecurinetsPrequalz2019.html).