NetOn CTF 2021 - Welcome to Filterland

Web – 208 pts (24 solves) – Chall author: eljoselillo7

Simple web challenge where we need to bypass the PHP strcmp() function.



The website asks us for a password, nothing more, nothing less. By using the browser inspect tool (F-12) we see it posts our input to check.php. It also tells us they have made the PHP file available to us, so of course, we take a look :).

    $FLAG =  (file_get_contents("/flag.txt")); //SECRET
    $PASSWORD = $_POST['password']; //User password

    $PASSWORD = str_replace("s4cuRe_p4sW0rD","Nice_try!",$PASSWORD); //Replace

    if(strcmp('s4cuRe_p4sW0rD', $PASSWORD) == 0){ //Check
            echo $FLAG;
            header("Location: /fail.html");

    else {
        echo "Give me what I'm looking for ):";


So the correct password is ‘s4cuRe_p4sW0rD’, but they filter it out of our responses, how cheeky :c. Fortunately, or rather unfortunately, there is a vulnerability to the PHP strcmp functions. If instead of a string, we pass on something PHP recognises as a list it will return True, regardless of our input :).

I first tried to use HTML by going to the link[]=oops

However, this did not work so I used curl instead

$ curl -d password[]=oops

which happily returns our desired flag