This challenge involved a web application that featured a PHP variable inspector.
The instructions read:

NETTITUDE.COM CTF

Enter some serialised PHP in our form below and we’ll output it on the page.

We have some built in classes too.

Objective: Simply run the “getFlag()” method.

The page also contained a form to submit your serialized object string, as well as a link to some source code:

The challenge seemed to call for PHP object injection, also classified more generally as a “serialization vulnerability”. I was especially excited to tackle this challenge since a PHP serialization vulnerability had recently made news: CVE-2015-8562.

My first goal was to figure out how I could invoke the getFlag method. I started thinking about the end of my method call chain so I could work backwards from the method invocation.

The ObjectDescriber class stood out to me as a candidate. Upon calling __toString, it checks t and dynamically invokes method prop on obj. I overwrote the definition of getFlag in the Flag class above so it would echo “It worked”, included my modified source code, and used print_r to invoke __toString on it:

This first step wasn’t too challenging (having a programming background definitely helped). However, using print_r was cheating. I now had a new goal which would prove to be more difficult: using only object de-serialization, how could I invoke __toString on my crafted ObjectDescriber object?

After studying the source code a bit more, I saw the SelectElement class as a candidate to do the job. Its render method concatenates strings while iterating over aitems, and would provide a chance to call __toString on the ObjectDescriber object.

I still needed a way to call render on an instance of SelectElement during de-serialization. I noticed that the Page class had a compile method which called render on each element of its elements property. This nearly completed my chain.

Things were starting to fall into place. Now all I needed was a way to call compile on an instance of Page at some point during the PHP object lifecycle. Luckily, the Page class implements a definition of __wakeup, which is a object callback method that gets called when an object “wakes up” (becomes de-serialized). This ended up completing my POP chain:

Submitting my serialized object string confirmed that my POP chain worked:

 

BSides Pre-Con Capture the Flag

Leave a Reply

Your email address will not be published. Required fields are marked *