[Sekai CTF][Web Application] - ⚙️ Sekai Game Start
This is my writeup for the "Sekai Game Start" challenge on the Sekai CTF plateform.
The main challenge page is the application PHP source code. My first idea is an insecure PHP deserialization. This theory is reinforced when I see the unserialize function in the code. The goal is for the server to display the line containing the flag : "Sekai Game Start Here is your flag".getenv('FLAG'). This call is made in the __destruct() function of the Sekai_Game class. This function is called when the class is destroyed.
The code also indicates that the sekai_game.run parameter is our injection point because its value will be deserialized by the server. When we add this parameter to our query, absolutely nothing happens, as if it were ignored.
In order for the server to process our parameter, we must edit the underscore ( _ ) by the left bracket ( [ ), which will be converted by an underscore by the server (php is weird).
The following bug indicates that C: does not support the __wakeup function which will be ignored when creating the class: PHP Bug. This means the start variable set by default on True will not be changed when creating the class. All you have to do is call the Sekai_Game class and the flag will appear in the server's response.
