Stripe CTF 2.0 Level 1
In this level you are given a form where you have to “guess” the secret password to get the password to the next level. This level is in PHP and requires you to really looking at the code to figure out an attack point.
I don’t think there are any real hints in this level in the description.
Problem in the code
So here is the following section of code that has a problem. Take a look at line 13
This is where you know how to attack this level. The problem is that extract() takes an array and sets the key value to variables with the value set. This is not a good thing to do with $_GET/$_POST array since the user can set those and override any of the variables that are setup before the extract. This is line 12
$filename = 'secret-combination.txt';
$combination = trim(file_get_contents($filename));
This will take the contents of $filename and put it in $combination
So now that you know the weak spots. We want to attack the $_GET array. So we pass in a blank $filename and $attempt. So our query looks like
What that does is make $combination contain an empty string since the file contents of nothing is nothing. Then you are passing in combination on the $_GET array as nothing so it matches. The form wants to post but since it uses extract() to get the variable settings we can just attack it via $_GET and make the attack pretty easy.