This blog post will cover the creator’s perspective, challenge motives, and the write-up of the web challenge Spell Orsterra from UNI CTF 2022. The challenge portrays a fictional application with a heavy tech stack and involves exploiting Nginx UNIX socket injection, queued message handling deserialization, and custom POP chain to export PHP backdoor with PHP-GD image compression bypass.
HTB uni-ctf ctf web nginx unix-socket-injection redis php-messenger deserialization pop-chain php-gd idat-chunks rce write-up