Write-Ups

14 min read

Uni CTF 2022: UNIX socket injection to custom RCE POP chain - Spell Orsterra

This blog post will cover the creator's perspective, challenge motives, and the write-up of the web challenge Spell Orsterra from UNI CTF 2022.

Rayhan0x01 avatar

Rayhan0x01,
Dec 30
2022

Challenge summary 📄

The challenge portrays a fictional application with a heavy tech stack and involves exploiting Nginx UNIX socket injection, queued message handling deserialization, and custom POP chain to export PHP backdoor with PHP-GD image compression bypass.

🎮 PLAY THE TRACK

Challenge motives 🧭

The challenge showcased attack vectors based on recent research articles and a custom exploit chain to give players room to do their own research and think out of the box.

The exploit chain started with a simple UNIX socket injection in the reverse proxy leading to Redis injection. With Redis in use as an asynchronous message-handling transport, players were expected to research and find a deserialization sink and custom gadget chain to gain remote code execution.

Challenge write-up ✍️

Unlike traditional web challenges, we have provided the entire application source code. So, along with black-box testing, players can take a white-box pentesting approach to solve the challenge. We’ll go over the step-by-step challenge solution from our perspective on how to solve it.

Application at-a-glance 🕵️

The application homepage displays a login form. Since the application source code is provided, we can see from the challenge/migrations/db.sql file that the login credentials are admin:admin. After logging in, we are redirected to the following dashboard page: