WriteUp for Just Not My Type from Killer Queen 2021
A Writeup for the challenge "Just Not My Type" from Killer Queen CTF 2021.
Published on November 03, 2021 by 0xRar
writeups Web CTF
1 min READ
Challenge Information:
| Name | Category | Difficulty | Points | Dev |
|---|---|---|---|---|
| Just Not My Type | Web | Easy | 248 | ZeroDayTea |
Description:
I really don’t think we’re compatible
Solution:
First thing i thought it was an sqli, but then i remembered they already gave us the source code
for the challenge.
Source-Code:
<h1>I just don't think we're compatible</h1>
<?php
$FLAG = "shhhh you don't get to see this locally";
if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
$password = $_POST["password"];
if (strcasecmp($password, $FLAG) == 0)
{
echo $FLAG;
}
else
{
echo "That's the wrong password!";
}
}
?>
<form method="POST">
Password
<input type="password" name="password">
<input type="submit">
</form>
The twist of the challenge is first we didn’t have any link to the webapp, at first so the $FLAG variable is just a fake flag, so i look and nothing really wrong with the code but maybe the function strcasecmp() has some kind of vulnerability or not used in secure way, after googling a bit and reading the strcasecmp
php Documentation
Turns out that strcasecmp() is a single-byte function , after searching what that means and how to exploit it found that if you don’t use it in a secure way it can lead to Authentication Bypass , the idea is to turn the password param into an empty array and the value to %22%22
Example: http://vulntarget.com/type.php?password[]=%22%22
and that gave me the flag :)
