Let's Go!!

Challenge Writeups

Category: Web

Challenge: You can’t see me!

Points: 200

The IP address above directed me to the PHP code below.

Analysis

LINE 7 is the inclusion of the file flag.php but we can't see the source code.

LINE 11 is to GET request accepting 2 parameters. If you look closely the font used for the letter C in rootcon is different in the 2nd get request. The condition tells us that these 2 parameters should not be equal.

I manually copied the word and verified it using URL decoding.

Now we have our URL without a value:

http://149.28.134.167/?rootcon=&root%D1%81on=

Let’s analyze the next line, which is LINE 12, which indicates that the 2 md5hash must be equal.

It reminds me of my previous writeup for Rootcon Recovery Mode last year about magic hash. You may check it from this link below https://laet4x.medium.com/rootcon-recovery-mode-ctf-final-web-wizardry-1419d664eedf.

So I decided to reuse the script. Basically, this script will find word/s to combine with the word ‘pwndemanila’, which in return will result in “0e” + 30 digits MD5 hash.

After several minutes I got the results:

Solution:

pwndemanilaaffyjL = 0e154876879366669632612315475677

pwndemanilaa1MGTc = 0e660685420749161809595800684366

Anything that starts with “0e”, followed strictly by only digits will return TRUE, which makes LINE 12 TRUE.

This is also what we need in LINE 11 since we remove the ‘pwndemanila’ we got pffyjL and a1MGtc and make LINE 11 TRUE.

I crafted our final URL and we Got the flag:

Flag: RC15{tqfXZWoEvj4ukK5WJGAPqTfBRs7iTN}

Special Thanks!

I would like to thanks pwndemanila and rootcon for the exciting challenges in this year’s Capture The Flag. Shoutout to our another team, SOCTEAM CTF for the support. See you next year!!!

https://www.rootcon.org/

https://twitter.com/rootconph

https://www.facebook.com/rootcon/