LIT CTF 2023 - My boss left

Posted Aug 5, 2023

By Nolliv22 1 min read

Description

Category: Web

My boss left… Guess I can be a bit more loose on checking people.

Inside login.php we can see that there is a password:

        
// Replace these values with your actual login credentials
$valid_password = 'dGhpcyBpcyBzb21lIGdpYmJlcmlzaCB0ZXh0IHBhc3N3b3Jk';

We used this password to log in and we get the flag: LITCTF{oOps_sh0uld_h4v3_us3d_str1ct_c0mp4r1sons}.

According to the sentence in the flag, we should have exploit the fact that the script didn’t use strict comparaison.

Knowing that, we could use a payload to still log in depending on whether the password was a hash or something else.

Check this awesome ressource about type juggling: Type Juggling - swisskyrepo - GitHub

Writeups, LIT CTF 2023

Web

This post is licensed under CC BY 4.0 by the author.