Advent of CTF - Challenge 15

“Juggler++”

Challenge

This challenge is a partner to the previous one, it focuses on an oddity in the PHP programming language.

What you will learn:

  • Type juggling in strcmp

Solution

When the challenge starts the user is asked to enter a flag to compare it to the flag in the challenge. Obviously it is not possible to know the flag unless you solve the challenge, so there has to be another way. Lets examine the source code on the page.

<?php

ini_set('display_errors', 0);

include("flag.php");

if (isset($_POST["flag"])) {
    $f = $_POST["flag"];

    if (strcmp($f, $flag) == 0 || sha1($flag) == sha1($f)) {
    echo $flag;
    die();
    }
}

header("Location: /index.php?error=Wrong flag");
exit();

?>

It start the same as the previous challenge. This time it checks to see if flag is set as a post variable. The flag is then compared to the flag stored in the application itself. If they don’t match, the sha1 of the flags have to match.

The rabbit hole here is that you might want to try and generate a magic hash that can be used to compare against the hash of the stored flag, but this will be fruitless.

The interesting function here is strcmp. It compares 2 strings and will return 0 when they are the same.However, when a parameter to the function is not a string an error will be thrown.

Warning: strcmp() expects parameter 1 to be string, array given in php shell code on line 1

When this happens the result of the strcmp operation will be NULL. When NULL is compared to 0 in a loose manner it will return true. Within firefox, post a request to the system and Edit & Resend it using DevTools (F12). Change the parameter in the requestbody from flag to flag[], making it a PHP array.

flag[]=test

Within firefox this will look like the following screenshot.

tamper.png
Figure 1: Tamper the parameter of get_flag.php

The response of the request will contain the flag.

NOVI{typ3_juggl1ng_f0r_l1fe_seriously}

Also, do not forget to claim your badge.

badge.png