25 Nov

PicoCTF 2013 – PHP2

Points: 85

Text: We found a simple web page that seems to want us to authenticate, but we can’t figure out how… can you?

Solution:When we look at https://2013.picoctf.com/problems/php2/index.phps we see the code that is used to authenticate:

if(eregi("admin",$_GET[id])) {
  echo("<p>not allowed!</p>");

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx </p>";

Can you authenticate to this website?
<!-- source: index.phps -->

We can see it takes an id variable from the url, like this:


We see the value needs to be “admin” to get the key, but we can’t just do


This would trigger the first if-statement and not give us the key.

We can see before the second if-statement the id variable gets decoded, so we can encode the admin value to get it past the first if-statement and get a value of “admin” at the second if-statement.

We can look at this chart to encode our message, but we’ll have to encode the “%” symbol as well. When we do this we get the following url


We now have our key.

Flag: b4cc845aa05ed9b0ce823cb04f253e27

For other challenge write-ups from this CTF see the overview.

Leave a Reply

Your email address will not be published. Required fields are marked *