Authenticate your way to admin (150pts)
1 day, 22 hours, 58 minutes, 20 seconds remainingOwen had created an authentication system which lets users login with their email-id or their team name. But that’s not fun is it? Logging in as the admin beats it all, so there’s your challenge.
The portal is running at 128.199.224.175:23000
Note: Use your Pragyan CTF credentials to login to the web portal.
The portal is running at 128.199.224.175:23000
Note: Use your Pragyan CTF credentials to login to the web portal.
homepage.phpのソースは下記のようになっています。最初にcheck_login()でログイン状態かどうかチェックしています。$idが”admin”で$id_typeが”team_name”のときにhomepage.phpにアクセスするとフラグを取得できそうです。$idはcheck_login()のあとにセッション変数$_SESSION['id']から取得しています。
<?phpsession_start();require "helpers.php";if(! check_login())redirect($LOGIN_URL);$id_type = $_SESSION['id_type'];$id = $_SESSION['id'];?><!DOCTYPE html><html><head><title>Homepage</title></head><body style='background-color: #d6eaf8'><p style="float: right"><a href='/logout.php'> Logout </a></p><p style="clear: both"></p><p style='height:30px; width:100%;'> </p><center><h2> Welcome User !! </h2><br><br><h3><?phpif($id_type === 'email') {echo "Email :- ".$id;}elseif ($id_type === 'team_name'){echo "Team Name :- ".$id ;}?></h3><br><br><h4>Here's a random funny saying for you :) <br></h4><br><br><?phprequire "sayings.php";printf(get_random_saying());echo "<br><br>";if($id === 'admin' && $id_type === 'team_name')printf(output_flag());?></center></body></html>
次にlogin.phpのソースは下記のようになっています。verify_teamname_password()でパスワードをチェックして合っていればセッション変数$_SESSION['logged_in']にtrueをセットしています。
<?phpsession_start();require "helpers.php";$type = $_POST['id_type'];$identifier = $_POST['identifier'];$password = $_POST['password'];$_SESSION['id'] = $identifier;if($type === 'team_name') {$team_name = $identifier;$_SESSION['id_type'] = 'team_name';if(verify_teamname_password($team_name, $password) === true) {$_SESSION['logged_in'] = true;redirect('/homepage.php');}else {die("Invalid Team Name-Password combination !!");}}elseif ($type === 'email') {$email = $identifier;$_SESSION['id_type'] = 'email';if(verify_email_password($email, $password) === true) {$_SESSION['logged_in'] = true;redirect('/homepage.php');}else {die("Invalid Email-Password combination !!");}}?>
フラグは、
pctf{4u1h3ntic4Ti0n.4nd~4u1horiz4ti0n_diff3r}