# NCSC 2019 - web0, web1, halfline

## web0

We were given a page with the following source code

The condition to show the flag is $md5==md5($md5). Due to the use of the == operator, we went in the type juggling direction.

We know that if two strings are in the form “0eX” where X is numeric, == will cast them to $0 * e ^{X}$. Meaning that they will both be equal to 0 at evaluation time.

We wrote a php script to find out a string in the form “0eX” that have an md5 in the same form.

After few seconds, it gave us the following result:

then,

WP ! Here is your flag: Securinets{Gg!H4K3Rm@N}

## web1

We were given a script that prevents you from selecting all checkboxes in a form.

Inspect => Settings => Disable Javascript.

:p

Good job, take your flag: Securinets{HuNgRY_Pl4y3r}

## halfline challenge

We were given a page with the following source code.

Our intuition was to find a function that accepts a mixed param as first arg and a callback as the second.

We found out this stackoverflow thread that contains exploitable PHP functions.

After some time, we only restricted the search on the create_function function.

On the php website we found this Caution:

This function internally performs an eval() and as such has the same security issues as eval(). Additionally it has bad performance and memory usage characteristics.

We searched for exploits and we found the following EDB-ID 32417.

So, we used the following payloads to get the flag:

?_=create_function&__=return 0; } system('ls'); //

?_=create_function&__=return 0; } system('cat f*'); //

We got an image and strings got us the flag.