Tags: web 

Rating:

# CONFidence CTF Teaser 2019 – My admin panel

* **Category:** web, warmup
* **Points:** 51

## Challenge

> I think I've found something interesting, but I'm not really a PHP expert. Do you think it's exploitable?
>
> https://gameserver.zajebistyc.tf/admin/

## Solution

The website has directory listing active, connecting to it two files are listed:
* `login.php`
* `login.php.bak`

The first page prints the message: `Not authenticated.`.

The [second file](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/CONFidence%20CTF%20Teaser%202019/My%20admin%20panel/login.php.bak) contains the PHP source code.

```php
{}".format(err.code)
break

```

With the cookie `otadmin={"hash": 389}` you will discover the flag.

```
p4{wtf_php_comparisons_how_do_they_work}
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/CONFidence%20CTF%20Teaser%202019/My%20admin%20panel/README.md).