Cyber Talents: “catch me if you can” write up
First i did all the basic enumeration(like viewing the page source ..etc )for the web page and found nothing so i thought of firing up “gobuster” and found “robots.txt”:
After navigating to “robots.txt’ i found :
Well now the real challenge begins!
the “S3cr3t.php” have some kind of authentication and the “source.php” is the source code of it.
Lets start analyzing the “source.php” code…
The first line : include (‘flag.php’).
-So “flag.php" page must be included in “S3cr3t.php” so i inspect element the “S3cr3t.php” to see if the flag was a hidden text in the page but i found nothing :)
The second line : $password=$_POST[‘pass’];
-We have a $password variable containing the value coming from the $_POST .
The third line : if (strpos( $password, ‘R_4r3@’)!== FALSE){.
-So we have a basic if statement and then we have the mighty “strpos” (string position function) which in our case it searches for the position of “R_4r3@” in the value of “$password” and then if its not there it returns false and goes to the else statement:
And when i provide the “R_4r3@” string it returns true:
so i tried entering this string in the “S3cr3t.php” page to see what will happen:
So lets continue analysing the code:
Fourth line : if (!preg_match(‘/^-?[a-z0–9]+$/m’, $password)) {.
- Here we have the preg_match (php regex function) searches for a given pattern in our $password variable and if matches it returns 1 otherwise it returns 0:
if you are having a hard time reading the regex check out this website.
in our case the “R” , “_” , “@” are being matched and activating the alert.
-By looking at the sixth line we can see an echo for a $cipher variable which i think could contain our flag!
So now we want to somehow bypass the the second if statement and echo the $cipher variable.
After some good time of searching on google and reading about the functions and trying alot of combinations i found a bug in the code which make me bypass the regex check if i put the string i don’t want to be checked in a new line! so i tried this payload:
BUT :
So i opened burpsuite to see if there is any encoding or striping for the input:
So i sent the request to the repeater and tried alot of payloads until my friend suggested to url encode the payload and after several tries the final payload is : anything%0aR_4r3@
After decoding this js Brain f*ck code we got the flag!
checkout this awesome github repo which helped me guessing the payload
Well thanks for reading and have a good day!
