The challenge description was minimal, just telling us about an image sharing service:
Sharing is caring. For picture wizard use only.
This challenge was about exploiting an
XXE through an
SVG, then invoke a
PHP Object Injection through the
phar:// and finally get
We run a dir scan on the target to see if any juicy file could be found.
By visiting the
robots.txt file it was possible to find the path of the zip containing the source code.
By visiting the
.gitignore file it was possible to see that an un-accessible file
flag_dispenser was present in the webroot.
It took 30 seconds to understand that there was a very easy to trigger
SVG file parsing.
Using the following
SVG file it was possible to confirm the
At that point we were like “OK, it’s time for a first blood!!11!!1”!
We spawned an
FTP and an
HTTP services to retrieve data
OOB and we weaponized the
php://filter was used in order to exfiltrate data in base64, which prevents problems with new lines, encoding, etc.
We uploaded the malicious
SVG and boom we received
/etc/passwd file via
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
We canged the path from
/etc/passswd in the
evil.xml file to
we received the flag.
We spent hours trying to read various files to understand wheredaphrack the flag was, without success. We also asked the organizers if everything was working correctly and the answer was always “yes”.
When we were pretty close to give up we remembered about the
phar:// handler which in
PHP allows to perform a
PHP Object Injection.
To exploit it we needed:
- The ability to force the server to visit a phar:// URI, which was possible via the
- The ability to upload a malicious phar archive on the server, which was possible only if the
PHAR archive was also a valid
- A gadget for our deserialization exploit, which was present in the
system function called in the
__destruct of the
Using some Google-fu we found a
PHP script, which, with very few changes, was used to generate a
PHAR which was also a valid
Image object was used to trigger the command injection in the
We uploaded the generated polyglot
PHAR to the server, and then triggered the deserialization via the following
And boom we visited the downloaded webshell which executed our commands.
Then it was just a matter of executing
/var/www/html/flag_dispenser, which happened to be a binary file, executable by anyone, but readable only by
root, to get the flag: