Stripe CTF 2.0 Level 1

August 27, 2012   


In this level you are given a form where you have to “guess” the secret password to get the password to the next level. This level is in PHP and requires you to really looking at the code to figure out an attack point.

Hint Given

I don’t think there are any real hints in this level in the description.

Problem in the code

So here is the following section of code that has a problem. Take a look at line 13


This is where you know how to attack this level. The problem is that extract() takes an array and sets the key value to variables with the value set. This is not a good thing to do with $_GET/$_POST array since the user can set those and override any of the variables that are setup before the extract. This is line 12

$filename = 'secret-combination.txt';
That var sets the secret file where the password to level is stored. Then in line 15 you have the following
$combination = trim(file_get_contents($filename));
This will take the contents of $filename and put it in $combination


So now that you know the weak spots. We want to attack the $_GET array. So we pass in a blank $filename and $attempt. So our query looks like

What that does is make $combination contain an empty string since the file contents of nothing is nothing. Then you are passing in combination on the $_GET array as nothing so it matches. The form wants to post but since it uses extract() to get the variable settings we can just attack it via $_GET and make the attack pretty easy.


comments powered by Disqus