30 Nov

PicoCTF 2013 – Pretty Hard Programming

Points: 95

Text: If you can guess the admin’s password you can get a key

Solution: When we look at the code we see the secret_key variable is declared, but right after that it gets the variables from the url. This means we can change to secret_key variable to anything we like.

When we enter the following url (we could have used anything instead of pass, as long as the password and secret_key variable are set to the same value):


we get our flag.

Flag: php_means_youre_going_to_have_a_bad_time

For other challenge write-ups from this CTF see the overview.

Leave a Reply

Your email address will not be published. Required fields are marked *