LIT CTF 2023 - My boss left
Description
Category: Web
My boss left… Guess I can be a bit more loose on checking people.
Link : litctf.org:31784
Resolution
Inside login.php
we can see that there is a password:
1
2
// Replace these values with your actual login credentials
$valid_password = 'dGhpcyBpcyBzb21lIGdpYmJlcmlzaCB0ZXh0IHBhc3N3b3Jk';
We used this password to log in and we get the flag: LITCTF{oOps_sh0uld_h4v3_us3d_str1ct_c0mp4r1sons}
.
Intented way to solve the challenge
According to the sentence in the flag, we should have exploit the fact that the script didn’t use strict comparaison.
Knowing that, we could use a payload to still log in depending on whether the password was a hash or something else.
Check this awesome ressource about type juggling: Type Juggling - swisskyrepo - GitHub
This post is licensed under
CC BY 4.0
by the author.