CTF Challenge by SayCure solution
CTF Solutions Hacking and Infosec Write-ups

CTF Challenge Solution Organized by SayCure

So here I present the solution to a recently organized CTF Challenge. This challenge was organized by SayCure org. Hope you find it helpful for future CTF encounters. So let’s get started.

What is CTF?

      CTF which means “Capture The Flag” is a type of challenge for Computer Geeks who loves to play with Security. In the Computer version of this Game, many teams or individuals try to find a solution for the challenge posted by an organization or a simple person. Many Organization post CTFs with rewards but this game is actually for fun, time pass, gaining knowledge and gaining experience. To learn more about CTF, please visit here.

CTF by SayCure (@SayCureIO):

        There were many CTF Challenges by SayCure but in this Article/write up or whatever I will talk about one of them. One of my friends sent me a PHP class and asked me to help him explaining it to him. Of course I explained, but then he invited me to a CTF Challenge.

 

Beginning:

This was my first time participating in a CTF Challenge, so I didn’t know much about that. The Challenge I participated sent me to an IP where the Flag was. Let’s assume it “127.0.0.1”.

Screenshot of CTF
Screenshot of CTF

Understanding the code:

1st part:

I started to understand the code first. So the first part was creating a md5 hash of client IP Address, create a Directory/Folder with name of that hash and then finally change/move to that directory.

Understanding 1st part of Code
Understanding 1st part of Code

2nd Part:

Second part is a php class which have 2 public variables “$data”, ”$calc” and a function “__wakeup()”. The “__wakeup()” function is known as Magic Method. Visit here to know more about “__wakeup()” method

  • trim() method Strip whitespace (or other characters) from the beginning and end of a string
  • ord() method Convert the first byte of a string to a value between 0 and 255
$calc = ord($this->data[0])+ord($this->data[1])+ord($this->data[2])-ord($this->data[3])-ord($this->data[4])+ord($this->data[5])+ord($this->data[6]);

This statement create a number of digits by adding, subtracting the values from one other and the rest is if statement which checks if the length of value in “$data” variable is 7 or not and the digit returned by the above statement equals to 443 or not.

 

Understanding 2nd Part of Coe

Understanding 2nd Part of Code

3rd part:

The third part of the code is a simple code that checks the file extension and size of the file, and upload that file to filename.txt.txt in the current working directory which is md5(our ip). The rest code is a form for uploading file and php function highlight_file() to show the source code of file.

Understanding 3rd part of Code

Understanding 3rd part of Code

Main Points in the Code:

There are two main points in the code to do.

  1. Find a string having length of 7 characters that returns 443 from the given calculation
  2. Find a way to execute HACK_THIS_CLASS()class.
  • Finding a String:

We have to find a 7 characters string that returns 443 when converted by the ord() function, So lets find that first. I Created a file with given code.

<?php
$h = $_GET["h"];
$calc = ord($h[0])+ord($h[1])+ord($h[2])-ord($h[3])-ord($h[4])+ord($h[5])+ord($h[6]);
echo $calc;
?>

Analyzed the ASCII Table and then after some tries i find a suitable String “zzzSTzz” which have length of 7 characters and returns 443 when passed to that statement.

  • Finding a way to execute “HACK_THIS_CLASS()” class:

By Analyzing and understanding the code, I noticed the “unserialize()” method that reads the content of our uploaded file. In the start, I did not know about “unserialize()” function. After some Google Searching I found that it can lead to R.C.E. As a newbie, I don’t know what to pass, so I simply wrote some Linux commands and PHP statements but didn’t work, then I thought lets explore the flow of “unserialize()” function.

Understanding the flow of unserialize() function:

            unserialize —Creates a PHP value from a stored representation (Definition by php.net)

By Some more google searching about unserialize() function I found that it is the opposite of serialize() function and it actually what we call decode the encoding of serialize() function. So for understanding that, I studied serialize function.

For Example, we want to create a serialize array, we will pass that array to serialize() function and lets see what we get.
Code:
<?php
$a  = array("Danial","Ahmad","Waqas");
echo serialize($a);
?>

Output:

a:3:{i:0;s:6:"Danial";i:1;s:5:"Ahmad";i:2;s:5:"Waqas";}

Let’s understand the output now

  • a:3:             =>        “a” means array, “3” means it has length of 3
  • {i:0;             =>        “i” means index, “0” means index[0]
  • s:6:”Danial”; =>        “s” means string, “6” means having length of 6, “Danial” length=6
  • and so on

and when we pass this value to unserialize() function it will be the same as the raw code above.

Final Step:

By Analyzing and understanding this, I copied the class to my XAMPP server and initialized the variable “$data” with “zzzSTzz” which we recently found.

Code for Creating a Serialized value of HACK_THIS_CLASS class

Then like the above example, I first created the object of the class and then passed that variable to serialize() function. WEW returned a serialized value.

Output we need for the flag

It was time to test if it is working or not, wrote this text in a file and uploaded to the server, YAAHOOO \O/ got reply

Flag found ==>@zzzSTzz.txt

As described above, I went to the path and entered the upper file name, yeah found it

POC of Flag

 

Ijaz Ur Rahim
Just a Newbie with some Random Penetrating and Programming Skills.
https://github.com/MrDebugger

2 thoughts on “CTF Challenge Solution Organized by SayCure

Leave a Reply