35C3 CTF Write-up: php

php (web)

PHP’s unserialization mechanism can be exceptional. Guest challenge by jvoisin.

Files at https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar. Challenge running at: nc 35.242.207.13 1

This challenge exposes a service written in PHP, and as you can guess, it has something to do with unserialization.

The single source file is straightforward to understand:

<?php

$line = trim(fgets(STDIN));

$flag = file_get_contents('/flag');

class B {
  function __destruct() {
    global $flag;
    echo $flag;
  }
}

$a = @unserialize($line);

throw new Exception('Well that was unexpected…');

echo $a;

Your goal is to get the flag printed by somehow getting the destructor of class B to execute.

Continue reading

Advertisements