Tags: php unserialize web
Rating:
## This is my writeup of the 250 points challenge 'Destuctoid' in Imaginary CTF 2021.
### This is the challenge's description
![[Pasted image 20210725162523.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725162523.png)
### There are a youtube link link to the 'We Are Destroyer' song by Anberlin (it was good :D) although we really dont need this hint.
#### Here is the front page of the site
![[Pasted image 20210725162917.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725162917.png)
#### Reverse the text and i got **Can you find my ?source** so i requested to 'https://destructoid.chal.imaginaryctf.org/?source'
#### Here is what i got
![[Pasted image 20210725163320.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725163320.png)
### So basically we must exploit the unserialize vulnerability from the `$_SERVER['HTTP_X_PADYLOAD]'`
#### We can set it with our request header 'X-PAYLOAD'
#### For who doesn't know:
- `__construct` function is automatically called when we create an object
- `__wakeup` function is automatically called when we unserialize a serialized object
- `__toString` function is automatically called when we `echo` an object
#### Look at the code, we see that `$printflag` is set to false and only change to true if the `__toString` function of class Y invoked
![[Pasted image 20210725163657.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725163657.png)
#### To invoke the `__toString` we must `echo` a Y object, here we only see one `echo`
![[Pasted image 20210725163741.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725163741.png)
#### What does that mean? So basically the `echo` will be called when the `__wakeup` is called (mean that a Y object is unserialized)
#### So we can construct our Y class like this:
![[Pasted image 20210725164224.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725164224.png)
#### Then after we serialize this `exploit` object and send to server, when it's unserialized the Y object inside will be echoed and set the $printFlag to true
![[Pasted image 20210725164452.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725164452.png)
#### Cool, so we got in the `__destruct` function of X class (pay attention to the No! with 'o' lowercase)
#### Now return to class X
![[Pasted image 20210725164552.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725164552.png)
#### We see from class Y that a Y object's secret will be passed in to class X as `$cleanup` and create a new X object. If `$cleanup` is 'flag' it will be blocked by the `__construct` function of X class. So we have to reach the `__destruct` function without creating a new X object
### Here is what i did:
![[Pasted image 20210725165005.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725165005.png)
#### So when the inside Y object is echoed, it will create a new X object with the `$cleanup` equal to a X object with its own `$cleanup` is 'flag' (confusing right? try to imagine it as X inside X)
#### So then we can pass the `__contruct` function and when the `__destruct` of the inside X object is called, we got the flag
![[Pasted image 20210725165252.png]](https://github.com/letronghoangminh/CTF-Writeups/blob/master/Web/ImaginaryCTF%20-%20Destructoid%20250%20pts/Images/Pasted%20image%2020210725165252.png)
### I know it's really confusing, just take time to think and you will understand
### Star me if you found this useful
## Credit: psycholog1st
