25 Nov

PicoCTF 2013 – PHP2

Points: 85

Text: We found a simple web page that seems to want us to authenticate, but we can’t figure out how… can you?

Solution:When we look at https://2013.picoctf.com/problems/php2/index.phps we see the code that is used to authenticate:

<?
if(eregi("admin",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx </p>";
}
?>


<br><br>
Can you authenticate to this website?
<!-- source: index.phps -->

We can see it takes an id variable from the url, like this:

example.com/index.php?variable=hello

We see the value needs to be “admin” to get the key, but we can’t just do

index.php?id=admin

This would trigger the first if-statement and not give us the key.

We can see before the second if-statement the id variable gets decoded, so we can encode the admin value to get it past the first if-statement and get a value of “admin” at the second if-statement.

We can look at this chart to encode our message, but we’ll have to encode the “%” symbol as well. When we do this we get the following url

https://2013.picoctf.com/problems/php2/index.php?id=%2561%2564%256d%2569%256e

We now have our key.

Flag: b4cc845aa05ed9b0ce823cb04f253e27

For other challenge write-ups from this CTF see the overview.

Leave a Reply

Your email address will not be published. Required fields are marked *