After accessing the challenge website, one was
presented with a directory listing containing two files submit.php
and submit.phps. It was possible to view the contents of submit.phps (below), furthermore both files were the same size.
<?php
$key = "key{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}";
$pass = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
echo $_GET['pass'];
if ( strcasecmp( $_GET['pass'], $pass ) == 0 ) {
echo($key);
echo "got it";
}
?>
It's apparent the program will compare a GET parameter named pass against a hardcoded string using the strcasecmp function, if the result of this comparison is 0 the key is displayed. Unfortunately the key was not a bunch of Xs.
Focusing on the the strcasecmp
function, where there other ways of making it output 0, besides the obvious case where the strings were equal.
A quick trip to php.net,
yielded nothing useful for strcasecmp, however since this function is a wrapper
for strcmp (I believe), I took a look there, and sure enough the first two
comments yielded the answer.
In short in modern php versions, the function will return a 0, if any of
the parameters is an array. So the following url was constructed to
create array for pass.
The key was:
key{this_is_how_our_scoreboard_was_owned_last_night}
And let me just add that this was a really fun CTF and great weekend, well worth working to well past sun up. I look
forward to CSAW each year. Anyone who is interested in security and
especially CTFs, I always recommend CSAW as the questions start
accessible and ramp up to quite challenging. (Although I did miss having to call for Dan's burritos this year)
No comments:
Post a Comment