diff --git a/2020/whitehat-grandprix-2020/web05/README.md b/2020/whitehat-grandprix-2020/web05/README.md new file mode 100644 index 00000000..5631ac5d --- /dev/null +++ b/2020/whitehat-grandprix-2020/web05/README.md @@ -0,0 +1,62 @@ +# Web 05 +The challenge has source code (luckily). + +We can trigger deserialization because of following vulnerable code: +``` + try { + if ($imageInfo['Height'] && $imageInfo['Width']) { + $height = $imageInfo['Height']; + $width = $imageInfo['Width']; + } else { + list($width, $height) = getimagesize($image); + } + +``` +`getimagesize()` accepts attacker controllable URI. If we pass `phar://` scheme it would trigger phar deserialization. + +One more thing we need to care of is our phar archive must be a valid image (or at least look like it). There's a known solution for this problem. + +The server uses `http guzzle` that again, fortunately for us, has needed gadget achieve RCE on the server. +The `php-ggc` framework contains a generator code that is changed so that it would generate phar/image polyglot. + +The modified code is shown below: +``` +setMetadata($a); + $p->setStub("\xff\xd8\xff\xe0\x0a"); + } +} + +``` + +We upload this "image" to server and record the path. +Then we generate html page that would point to it. +``` + + +pwn image here + + + +``` +Then we fetch image from our server and get RCE. + +## Flag +`WhiteHat{ph4r_d3_w1th_4_t1ny_b4ck_do0r_7fc88491}`