Back

TechnologySep 18, 2012

Stripe’s Capture the Flag 2.0 – Level 1

Credera Team

This article is part 2 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.

This blog entry details the approach used by Chad Harchar in attacking the Stripe CTF 2.0 Challenge Level 1.

***

For this level we are presented a Guessing Game to guess the secret to the next level. The code shows that a file named secret-combination.txt contains the secret. We also see that a condition must be met for the user to pass this level:

`if ($attempt === $combination) {

echo "How did you know the secret combination was" .

" $combination!?";

$next = file_get_contents('level02-password.txt');

echo "You've earned the password to the access Level 2:" .

" $next";

} else {

echo "Incorrect! The secret combination is not $attempt";

}`

The user must guess the contents of the file to move on.  Since we have no idea what could possibly be in this text file, we have to find another way to make attempt equal combination (the contents of the file).

Luckily for us, the Guessing Game uses the PHP $_GET, so we can exploit a PHP vulnerability known as dynamic variable evaluation. This is a form of code injection that allows us to manipulate the variables in the url. We can set the filename equal to null, thus making combination null. After that, all we need to do is set attempt to null and we can get the Level 2 password:

https://level01-2.stripe-ctf.com/user-brxhnbbval/?attempt=&filename=

***

These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at securityteam@credera.com

Have a Question?

Please complete the Captcha