The website allows us to send two numbers/tokens and an operation among +, -, *, /.

Let’s send 1 + 2 to test it.

It calculated the result and gave us a token which is obviously base64 encoded.

Let’s decode the token.

It is a serialized object. Let’s try to modify its Expressionop and encode it again.

Remember the Share link after we created our token? It makes a request in the following form:

If we send our modified token to that link, we get the following response:

It tried to call the function AAAA() which is what we set as Expressionop. Now, we are able to call arbitrary functions in index.php. We can now try to call system function. However, Expressionparams is an array. We need to change it to a string parameter.

Let’s create a token that will call system(“ls”).

Here is the response for our new token:

It seems we don’t have much at /var/www/html directory. Let’s slightly modify it to list all the files in root directory.

Here we have the directory listing:

We are getting closer, fl4g_h4r3 looks promising. However, we don’t know if it is a file or a folder yet.

Let’s find it out.

Here is the response:

Now, we are know that it is a text file. Let’s print its content.

Here is our final response:

We got the flag KLCTF{f9f091be0ddb1703deb7004798f44709}.