[Hack-Along] Stripe Web CTF - Level One- [SPOILERS]
So, you've beaten level 0 and are now at the heady heights of level 1, where we are faced with another simple webapp that is hiding a secret from us.
In this webapp, guessing the secret combination (which is stored in the file 'secret-combination.txt' will print out the password to level 2 (stored in the file 'level02-password.txt').
Not ready to read the spoiler yet but want a tip? This challenge is based around a PHP script. One of the best ways to start is to check out the source and look up any procedure calls you are not familiar with in the PHP Documentation
Click, read more to view the full solution.
Looking at the source provided we can see a very simple webapp that grabs a user variable, compares it to the contents of the secret-combination.txt file and (if it matches) print out the secret.
A couple of things in the code immediately jump out.
The first is the use of extract(), which will turn ALL user provided paramaters into PHP variables. This will allow us to create arbitrary variables with arbitrary data.
The second problem is that the
With these two issues, we can overwrite the
$filenameparameter to arbitrary content of our choice and subvert the rest of the program.
To do this, we merely specify extra parameters when submitting our guess.
A sample modified request could look likehttp://level01-2.stripe-ctf.com/user-youruserstring/?attempt=foo&filename=bar
So, to subvert the behaviour of this webapp... what happens if the
$filenamevariable is empty?
The following piece of code will behave in an unexpected way.$combination = trim(file_get_contents($filename));
The PHP fucntion file_get_contents when presented with an empty string will open no file, and therefore return an empty string. So if we provide an empty string as our guess and an empty string to override the $filename variable like so:http://level01-2.stripe-ctf.com/user-youruserstring/?attempt=&filename=
The guessing game will check that an empty string matches an empty string (which are things that match!) and print out the contents of
As with level 0, if you found a different way of completing this challenge, tell us about it in the comments! Stop back soon for level 2.