Teaser CONFidence CTF writeup
https://gameserver.zajebistyc.tf/admin/
Click the backup file and then we get php code.
We think about several ways to bypass it.
What we could know is we can post a cookie data named otadmin.
To bypass the first "if " which contains regex and the second one which contains "NULL" , we just post a cookie data like this: otadmin={"hash": 123}
The format of cookie data should follow this regex: {"hash": [0-9A-Z\"]+}
If we post a data like otadmin={'hash': '123'} or {'hash': 123}, the function
will return 'NULL', then we can't bypass the second "if".
For bypassing the third "if", we try to brute force it. Before that we can get a hint from the server.
I CAN EVEN GIVE YOU A HINT XD 0006464640640064000646464640006400640640646400
We focus on this line:
echo(ord(MD5($cfg_pass)[$i]) & 0xC0);
If a character is "and" with 0xC0, it returns 0 when it is 0-9. Besides,
it returns 64 when it is a-z.
I used brupsuite to send requests. We get the flag when it posts:
otadmin={"hash": 389}