This is my writeup of the 250 points challenge 'Destuctoid' in Imaginary CTF 2021.

This is the challenge's description

There are a youtube link link to the 'We Are Destroyer' song by Anberlin (it was good :D) although we really dont need this hint.

Here is the front page of the site

Reverse the text and i got Can you find my ?source so i requested to 'https://destructoid.chal.imaginaryctf.org/?source'

Here is what i got

So basically we must exploit the unserialize vulnerability from the `$_SERVER['HTTP_X_PADYLOAD]'`

We can set it with our request header 'X-PAYLOAD'

For who doesn't know:

__construct function is automatically called when we create an object
__wakeup function is automatically called when we unserialize a serialized object
__toString function is automatically called when we echo an object

Look at the code, we see that `$printflag` is set to false and only change to true if the `__toString` function of class Y invoked

To invoke the `__toString` we must `echo` a Y object, here we only see one `echo`

What does that mean? So basically the `echo` will be called when the `__wakeup` is called (mean that a Y object is unserialized)

So we can construct our Y class like this:

Then after we serialize this `exploit` object and send to server, when it's unserialized the Y object inside will be echoed and set the $printFlag to true

Cool, so we got in the `__destruct` function of X class (pay attention to the No! with 'o' lowercase)

Now return to class X

We see from class Y that a Y object's secret will be passed in to class X as `$cleanup` and create a new X object. If `$cleanup` is 'flag' it will be blocked by the `construct` function of X class. So we have to reach the `destruct` function without creating a new X object

Here is what i did:

So when the inside Y object is echoed, it will create a new X object with the `$cleanup` equal to a X object with its own `$cleanup` is 'flag' (confusing right? try to imagine it as X inside X)

So then we can pass the `contruct` function and when the `destruct` of the inside X object is called, we got the flag

I know it's really confusing, just take time to think and you will understand

Star me if you found this useful

Credit: psycholog1st

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

This is my writeup of the 250 points challenge 'Destuctoid' in Imaginary CTF 2021.

This is the challenge's description

There are a youtube link link to the 'We Are Destroyer' song by Anberlin (it was good :D) although we really dont need this hint.

Here is the front page of the site

Reverse the text and i got Can you find my ?source so i requested to 'https://destructoid.chal.imaginaryctf.org/?source'

Here is what i got

So basically we must exploit the unserialize vulnerability from the `$_SERVER['HTTP_X_PADYLOAD]'`

We can set it with our request header 'X-PAYLOAD'

For who doesn't know:

Look at the code, we see that `$printflag` is set to false and only change to true if the `__toString` function of class Y invoked

To invoke the `__toString` we must `echo` a Y object, here we only see one `echo`

What does that mean? So basically the `echo` will be called when the `__wakeup` is called (mean that a Y object is unserialized)

So we can construct our Y class like this:

Then after we serialize this `exploit` object and send to server, when it's unserialized the Y object inside will be echoed and set the $printFlag to true

Cool, so we got in the `__destruct` function of X class (pay attention to the No! with 'o' lowercase)

Now return to class X

We see from class Y that a Y object's secret will be passed in to class X as `$cleanup` and create a new X object. If `$cleanup` is 'flag' it will be blocked by the `construct` function of X class. So we have to reach the `destruct` function without creating a new X object

Here is what i did:

So when the inside Y object is echoed, it will create a new X object with the `$cleanup` equal to a X object with its own `$cleanup` is 'flag' (confusing right? try to imagine it as X inside X)

So then we can pass the `contruct` function and when the `destruct` of the inside X object is called, we got the flag

I know it's really confusing, just take time to think and you will understand

Star me if you found this useful

Credit: psycholog1st

Files

README.md

Latest commit

History

README.md

File metadata and controls

This is my writeup of the 250 points challenge 'Destuctoid' in Imaginary CTF 2021.

This is the challenge's description

There are a youtube link link to the 'We Are Destroyer' song by Anberlin (it was good :D) although we really dont need this hint.

Here is the front page of the site

Reverse the text and i got Can you find my ?source so i requested to 'https://destructoid.chal.imaginaryctf.org/?source'

Here is what i got

So basically we must exploit the unserialize vulnerability from the $_SERVER['HTTP_X_PADYLOAD]'

We can set it with our request header 'X-PAYLOAD'

For who doesn't know:

Look at the code, we see that $printflag is set to false and only change to true if the __toString function of class Y invoked

To invoke the __toString we must echo a Y object, here we only see one echo

What does that mean? So basically the echo will be called when the __wakeup is called (mean that a Y object is unserialized)

So we can construct our Y class like this:

Then after we serialize this exploit object and send to server, when it's unserialized the Y object inside will be echoed and set the $printFlag to true

Cool, so we got in the __destruct function of X class (pay attention to the No! with 'o' lowercase)

Now return to class X

We see from class Y that a Y object's secret will be passed in to class X as $cleanup and create a new X object. If $cleanup is 'flag' it will be blocked by the __construct function of X class. So we have to reach the __destruct function without creating a new X object

Here is what i did:

So when the inside Y object is echoed, it will create a new X object with the $cleanup equal to a X object with its own $cleanup is 'flag' (confusing right? try to imagine it as X inside X)

So then we can pass the __contruct function and when the __destruct of the inside X object is called, we got the flag

I know it's really confusing, just take time to think and you will understand

Star me if you found this useful

Credit: psycholog1st

So basically we must exploit the unserialize vulnerability from the `$_SERVER['HTTP_X_PADYLOAD]'`

Look at the code, we see that `$printflag` is set to false and only change to true if the `__toString` function of class Y invoked

To invoke the `__toString` we must `echo` a Y object, here we only see one `echo`

What does that mean? So basically the `echo` will be called when the `__wakeup` is called (mean that a Y object is unserialized)

Then after we serialize this `exploit` object and send to server, when it's unserialized the Y object inside will be echoed and set the $printFlag to true

Cool, so we got in the `__destruct` function of X class (pay attention to the No! with 'o' lowercase)

We see from class Y that a Y object's secret will be passed in to class X as `$cleanup` and create a new X object. If `$cleanup` is 'flag' it will be blocked by the `construct` function of X class. So we have to reach the `destruct` function without creating a new X object

So when the inside Y object is echoed, it will create a new X object with the `$cleanup` equal to a X object with its own `$cleanup` is 'flag' (confusing right? try to imagine it as X inside X)

So then we can pass the `contruct` function and when the `destruct` of the inside X object is called, we got the flag