Would you like to run this Docker container locally?

docker run -d -p 9019:80 --restart always --name flag-p joshbeck2024/ctf-php-deserialization-flag-p

IP Address: 172.25.200.200

Port: 9019

NOTE: The flag is in /flag/flag.txt

Let’s look at the first part of welcome_user.php where a cookie is unserialized and a value can be printed:

<?php
        if (isset($_COOKIE['newuser'])) {
            // VULNERABILITY HERE
            $var1 = unserialize($_COOKIE['newuser']);

            echo "<h1>Hello there!</h1>";

            if (isset($var1->name)) {
                echo "<p class='user-name'>Welcome " . htmlspecialchars($var1->name) . "</p>";
            } else {
                echo "<p>I don't know your name!</p>";
            }

            echo "<p>Enjoy your bowl of cereal!</p>";
        }
        ?>

$var1 becomes an instance of the class stored in the newuser cookie.

When you use unserialize(), it takes a string representation of an object and recreates the object in PHP memory.

• $var1->name is a property (string variable) that is expected to be in that object.

Open up Kali and create a file called MySerializedObject.php

<?php
$myObject = new stdClass();
$myObject->name = 'Hello World';

// Serialize the object
$serializedObject = serialize($myObject);

echo(urlencode($serializedObject));
?>

• We are creating an object called stdClass();
• We are creating a string variable within that class called ‘name’ and setting it to ‘Hello World’.
• We are serializing the data and URL-encoding it.

Run this code at the CLI to produce a serialized object.

php -q MySerializedObject.php