added writeups exported from ctfnote

2026-04-01 21:47:42 +02:00 · 2026-04-01 21:47:42 +02:00 · a37637a794
commit a37637a794
parent 77ed881028
30 changed files with 1487 additions and 0 deletions
--- a/POP-Restaurant-web-easy.md
+++ b/POP-Restaurant-web-easy.md
@ -0,0 +1,55 @@
+# POP Restaurant - web - easy
+
+## Description
+
+Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application.
+
+----
+
+## General
+- Flag is under `/`, e.g: `/sXrq5wWZZYpMh_flag.txt`
+    - Therefore name is not predictable - probably RCE needed?
+    - 
+
+explanation of the attack vector
+https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
+
+
+## Compose
+
+Place one directory level above the provided challenge folder.
+
+Launch with `docker compose up --watch`.
+
+```yaml
+services:
+  web-pop_restaurant:
+    build:
+      context: ./challenge # if one level above provided challenge files. 
+      dockerfile: Dockerfile
+    container_name: web-pop_restaurant
+    ports:
+      - "1337:80"
+    stdin_open: true
+    tty: true
+    develop:
+      watch:
+        - action: sync
+          path: ./challenge/challenge
+          target: /var/www/html
+          ignore:
+            - .git/
+        - action: sync
+          path: ./challenge/flag.txt
+          target: /flag.txt
+```
+
+## `order.php`
+
+```php=16
+$order = unserialize(base64_decode($_POST['data']));
+```
+
+User controlled input, unsaitized, send to unserialize().
+
+Thats bad :(