Tags: web 

Rating: 5.0

### Dante's Personal Home Page

`preg_match("/_| /i", $check)` can be passed using `.` which transforms to `_` in php external variables. Thanks to @13k53c for pointing to the external variable docs.

It was exploiting null byte poisoning to bypass egrep which was the second check (`ereg ("^[a-zA-Z0-9]+$", $magic)`) using any alpha numeric and `%00`. For example: `abc123%00`.

The request URL can be: http://104.197.168.32:17011/?..magic..=ABC%00$dark$

```text
Flag: infernoCTF{1_gu3ss_y0ur_m4g1c_was_w4y_t00_d4rk}
```

Original writeup (https://blog.geekofia.in/ctf/2019/12/28/inferno-ctf-writeup.html).