web hacking

This problem occurs when user input is passed directly to unserialize() function. We will learn how to invoke deserialization without using unserialize() function.

TCP1PCTF was organized by Indonesian and it was opened to anyone. For this challenge specifically, it was really good. I do need to read the source code as well as chaining multiple vulnerabilities such as SQL Injection, SSRF and Insecure Deserialization to get RCE.

This is a web challenge related to TOTP and some bruteforce operation.