> For the complete documentation index, see [llms.txt](https://ctf.laet4x.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.laet4x.com/ctf-2021/rootcon-15-ctf/web-200.md).

# Web 200

<figure><img src="/files/YAJ8AjH8oA8WDCpwtnoC" alt=""><figcaption></figcaption></figure>

Let's Go!!

Challenge Writeups

Category: Web

Challenge: You can’t see me!

Points: 200

<figure><img src="/files/02xAysnycnpHKwTgHDRS" alt=""><figcaption></figcaption></figure>

The IP address above directed me to the PHP code below.

<figure><img src="/files/YHF6sbrqhNeH3Q9Nle7g" alt=""><figcaption></figcaption></figure>

#### Analysis

LINE 7 is the inclusion of the file flag.php but we can't see the source code.

LINE 11 is to GET request accepting 2 parameters. If you look closely the font used for the letter C in rootcon is different in the 2nd get request. The condition tells us that these 2 parameters should not be equal.

<figure><img src="/files/WdDsDJmmUorWR5MA0b4o" alt=""><figcaption></figcaption></figure>

I manually copied the word and verified it using URL decoding.

<figure><img src="/files/1pMG0rZoyvYZKG9xoyqn" alt=""><figcaption></figcaption></figure>

Now we have our URL without a value:

<http://149.28.134.167/?rootcon=\\&root%D1%81on=>

Let’s analyze the next line, which is LINE 12, which indicates that the 2 md5hash must be equal.

<figure><img src="/files/fkmosg1aaDKXpjJGZMSH" alt=""><figcaption></figcaption></figure>

It reminds me of my previous writeup for Rootcon Recovery Mode last year about magic hash. You may check it from this link below <https://laet4x.medium.com/rootcon-recovery-mode-ctf-final-web-wizardry-1419d664eedf>.

So I decided to reuse the script. Basically, this script will find word/s to combine with the word ‘pwndemanila’, which in return will result in “0e” + 30 digits MD5 hash.

<figure><img src="/files/BM3oWDT2b5Ce1YmX9lJS" alt=""><figcaption></figcaption></figure>

After several minutes I got the results:

<figure><img src="/files/AGo69Ecs0HL3ZORWEsEH" alt=""><figcaption></figcaption></figure>

Solution:

pwndemanilaaffyjL = 0e154876879366669632612315475677

pwndemanilaa1MGTc = 0e660685420749161809595800684366

Anything that starts with “0e”, followed strictly by only digits will return TRUE, which makes LINE 12 TRUE.

This is also what we need in LINE 11 since we remove the ‘pwndemanila’ we got pffyjL and a1MGtc and make LINE 11 TRUE.

I crafted our final URL and we Got the flag:

{% embed url="<http://149.28.134.167/?rootcon=ffyjL&root%D1%81on=a1MGTc>" %}

<figure><img src="/files/jLXhbUNFYz2qggxW5DQ4" alt=""><figcaption></figcaption></figure>

Flag: ***RC15{tqfXZWoEvj4ukK5WJGAPqTfBRs7iTN}***

Special Thanks!

I would like to thanks pwndemanila and rootcon for the exciting challenges in this year’s Capture The Flag. Shoutout to our another team, SOCTEAM CTF for the support. See you next year!!!

<https://www.rootcon.org/>

<https://twitter.com/rootconph>

<https://www.facebook.com/rootcon/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.laet4x.com/ctf-2021/rootcon-15-ctf/web-200.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.