I spent nearly 6 hours on breaking through the black box waf of this SQL injection challenge.
The challenges created by @Phith0n can always surprise me and help me learn a lot.
One day, I found that peid showed me the wrong packer information. Here, I decided to unpack the exe by my own hands.
This is my first time to test the power of phar://unserialization since I heard this skill in blackhat2018, I would share my experience not only about how to exploit but also about the setting of environment.
Having a chance to create a challenge for PatriotCTF is very exciting. Besides, I really learn something through this experience (about 1pwnch’s Bakery). Therefore, this post will also focus on the writeup of it.