Rating: 4.0

When we visit the website and follow the Get started link we can see the following message

substr($URL, -10) !== '/index.php'  When we change URI to /admin/index.php we get next message $URL == '/admin/index.php'

I tried to bypass it with query string /admin/index.php?q=index.php , using double slash //admin/index.php and with /admin/./index.php, but it didn't work. Finally, i came up with the correct solution /admin/index.php/index.php. After visiting this URI I got link to second stage of this challenge [http://167.99.36.112:8080/another/index.php?source](http://167.99.36.112:8080/another/index.php?source).

Server sends header X-Powered-By: PHP/5.5.9-1ubuntu4.14 and I knew that array comparison in this PHP version is broken. Index is casted to 32bit integer, so 4294967296 will become 0, but the problem occurs only in comparison, so b[0] will not equal "admin". Therefore the POST body can look like this

b[4294967296]=admin&b[1]=oloco

To get code execution we need to guess function name stored in \$k_Jk and send it via GET. I thought about call_user_func, but it didn't work, so I used another PHP 'feature' that 0 equals non-numeric string when == is used. We also need to meet other requirements. Our code must be 3rd GET param and x param must be longer than 17 chars.

?x=17charslongstrings&useless=true&0=var_dump

This successfully dumps 0. We can see also that any parameter must be "equal" to function name, so we can send 0=something instead of useless=true.

Unfortunately, there is one more problem. We can't use dots and spaces. Spaces can be replaced by horizontal tab - %09, but I have no idea how to deal with dots. For this reason I used grep to dump PHP sources. Unfortunately there wasn't anything interesting there, so the flag could be anywhere. I decided to run grep -r "ASIS{" /, but it's an ugly solution.

?x=17charslongstrings&0=var&grep%09-r%09"ASIS{"%09/=system

The nicer solution would be to ls the /var directory and notice flag file. Then we could just use readfile

?x=17charslongstrings&0=var&/var/flag=readfile


Anyway, it reveals the flag ASIS{f52c5a0cf980887bdac6ccaebac0e8428bfb8b83} as well as the filename /var/flag.