Mar 10, 2014

A login from is there, with fields to enter 'username' and 'password', we have to login somehow.

First let's have a look at the source by clicking the link 'source'
include 'foo.php';
$user = $_POST['username'];
$pass = $_POST['password'];
if( !strcasecmp($user, "admin") && !strcasecmp($pass, $secret)) {
else { 
    echo"<h1>No flag for n00bs..</h1>";

So we can see the password is obliviously 'admin' but the password is stored in the variable '$secret' which must be in the file 'foo.php', which we have no way to figure out.

Next we option is we can look out for vulnerabilities in function 'strcasecmp()'. A quick googling will reveal that 'strcasecmp()' have a vulnerabiity that when we pass array to that function it return true.

Let's edit the source of the login page and pass array to 'strcasecmp()'. In login page change the below line using 'Firebug' in Firefox or 'Developers tool' in Chrome.
<input name="password" placeholder="Password" type="password">
to the below
<input name="password[]" placeholder="Password" type="password">

And now click login and you will get the flag{fb1186d3dfd25773d51964cf0d62d302}.
Categories: ,


Post a Comment