Kaspersky Industrial CTF Expression Writeup
In this question, we were given an URL “http://expression.2018.ctf.kaspersky.com/“ and we were asked to be find the flag from that URL.
When I opened that website on Firefox this page welcomed me.

I tried some XSS and some SQL-injection payloads but I thought I was going into the rabbit hole. After some time my teammates suggested that try to divide 1 by 0. Then I did that (:

After that error, I started to playing with the token. It was kind a base64 encoded json data.
1 | O:10:"Expression":3:{s:14:"Expressionop";s:3:"div";s:18:"Expressionparams";a:2:{i:0;d:1;i:1;d:0;}s:9:"stringify";s:5:"1 / 0";} |
I realized that this question is about PHP serialization stuff. I did some search on Google and I read an article about that topic[1]. Then I tried to execute a command by just changing some parts of that json data.
Expressionop: This calls a function by the function’s name.
Expressionparams: This is the parameters of the function that we call.
After I understood above, I crafted the json data below to test if that serialization/deserialization thing work. If this works then the server should return the content of the server’s /etc/passwd
file. Because I used a PHP function called file_get_contents
and passed the filename which is /etc/passwd as an argument.
1 | O:10:"Expression":3:{s:14:"Expressionop";s:17:"file_get_contents";s:18:"Expressionparams";s:11:"/etc/passwd";s:9:"stringify";s:4:"TEST";} |
Then encoded that data by using base64 and sent it back to the server by using its Share it link. And our test url was http://expression.2018.ctf.kaspersky.com/?action=load&token=TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6MTc6ImZpbGVfZ2V0X2NvbnRlbnRzIjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO3M6MTE6Ii9ldGMvcGFzc3dkIjtzOjk6InN0cmluZ2lmeSI7czo0OiJURVNUIjt9
. When I opened it on my Firefox I saw it was working.

To find the flag quickly, I needed to get rid of these four steps: change something in json -> encode it > send it > analyze its results. Therefore, I wrote a small python shell to achieve these steps automatically. This time I used exec
function from PHP and its argument was expected to be an OS command. (btw pls don’t judge me for this script)
1 | #!/usr/bin/env python3 |
I list the root directory of the server and I saw the file fl4g_h4r3
then read it and got the point.

I believe this was the easiest challenge because it was the only challenge that I could manage to solve (:
Reference: