b64

Challenge

This Web challenge consists of a simple web application with base64 encoding and decoding functionality.

The encoding and decoding process run in the same endpoint(run.php) changing only 1 parameter in the body request.

When I changed the func parameter value to a random string, the response was Internal Server Error with 500 status code.

Exploit

At this point I guess based on parameter names that the server creates a Class with the value passed and then calls a function inside that class using the value of func the parameter passing the value of input as parameter. One thing similar to the following code:

$class = new $_POST['class'];
$func = $_POST['func'];
$param = $_POST['input'];
$ret = $class->$func($param);

Obs: I am a very noob coding PHP, and the code snippet is only guessing how the application was implemented. Thanks to the following question in Stacker overflow:

• How do I dynamically invoke a class method in PHP?

• How to dynamically instantiate an object in PHP?

To confirm my theory I searched for Built-in classes in PHP 8.1.8, and found a DateTime class with getTimestamp() function that returns the timestamp at the moment of execution. I sent this in my request and it worked!!!

At that moment, I was pretty happy because I understood how the application was working without any code and limited acknowledge of the PHP application.

So all that I needed is a class and function that returns me the value of the flag stored at /flag in the server. To do this I tried SplFileObject with __construct(), to instantiate the class passing /flag as a parameter and get its content. Unfortunately, the functionality has a filter and blocked me. 😢

BUT I AM BRAZILIAN, AND BRAZILIANS NEVER GIVE UP!!!!!

Reading about the class mentioned in PHP docs I view a parent class named SplFileInfo. It looked interesting, so I tried that. And for my surprise, that worked! I could bypass the filter and call getFileInfo() function, returning the file name, as you can see in image below.

Searching a little bit I found my final exploit using the openFile() function to read the flag in the remote server.

This challenge was amazing, I really enjoy solved it and it gave me some new trick's knowledge! And a special thanks to @celesian for sharing with me an amazing paper about "Exploiting Arbitrary Object Instantiations in PHP without Custom Classes".