Remote Code Execution via Session - InsomniHack Teaser 2018
This year’s Insomni’Hack had pretty much decent challenges even though it took some time before my team could solve. The first challenge being,
VulnShop. A pretty straightforward description with a few functionalities in the page along with the source code made it neat and clean.
Going through the source code, two particular function caught my attention:
$_SESSION['challenge'] does something very interesting which is basically creating a file after calling the
which basically stores a random number between the specified value and in return requesting for
captcha creates a file with the same generated number.
Let that be pretty much and let’s move ahead in the source code. The very next piece of code,
we can see how the request is made, mainly two parameters as
The next part is the main aim of getting the flag. So according to the description and what we understood from the source code, what we can do is, we will make it into 3 steps:
1) Create a file by calling
2) Write whatever we want to the file, say
3) Copy the contents of that particular file to the session variable
4) Execute it
Also there were a few function which were disabled that could be seen in
The script below does all in one go:
Towards the end, we call the function
verifyFromMath which returns the desired string.
Catch me in Twitter.
Enjoy Reading This Article?
Here are some more articles you might like to read next: