php (web)
PHP’s unserialization mechanism can be exceptional. Guest challenge by jvoisin.
Files at https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar. Challenge running at:
nc 35.242.207.13 1
This challenge exposes a service written in PHP, and as you can guess, it has something to do with unserialization.
The single source file is straightforward to understand:
<?php $line = trim(fgets(STDIN)); $flag = file_get_contents('/flag'); class B { function __destruct() { global $flag; echo $flag; } } $a = @unserialize($line); throw new Exception('Well that was unexpected…'); echo $a;
Your goal is to get the flag printed by somehow getting the destructor of class B to execute.