This blog post will cover the creator’s perspective, challenge motives, and the write-up of the web challenge Spell Orsterra from UNI CTF 2022. The challenge portrays a fictional application with a heavy tech stack and involves exploiting Nginx UNIX socket injection, queued message handling deserialization, and custom POP chain to export PHP backdoor with PHP-GD image compression bypass.
HTB
uni-ctf
ctf
web
nginx
unix-socket-injection
redis
php-messenger
deserialization
pop-chain
php-gd
idat-chunks
rce
write-up
]