Wednesday, August 29, 2012

Stripe CTF Writeup: Challenge 1

This challenge was focused on poorly written PHP code, specifically the extract command. If you didn't know what to do on this challenge, all you had to do was go to PHP's website and read about extract. In a big warning box, they say
Do not use extract() on untrusted data, like user input (i.e. $_GET, $_FILES, etc.)
It turns out that the placement in the code of this extract variable allowed you to overwrite the $filename variable with something of your own choosing by passing a GET variable called 'filename;. At this point, you just need to beat the '===', a PHP operator which compares value AND type. By realizing that file_get_contents returns false when the file does not exist and that by putting 'attempt=' in the URL $attempt gets set to false, we can get past the test and win. A URL that beat this level was
https://level01-2.stripe-ctf.com/user-mspihsgapr/?attempt=&filename=
This causes get_file_contents to return false while setting attempt to false which means that $attempt===$combination.

-- suntzu_II

No comments:

Post a Comment