Category: Web Points: 30 Description:

The ducks and I have an unfinished score to settle.


The ducks is a seemingly boring site, only prompting us for a password. But they are kind enough to provide us the source.php document, which shows us the entire source code for the page.

        <title>The Ducks</title>
        <link href="" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
        <script src="" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
        <div class="container">
            <div class="jumbotron">
                    <h1>The Ducks</h1>
                    <?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>
                        if ($pass == $thepassword_123) { ?>
                            <div class="alert alert-success">
                                <code><?php echo $theflag; ?></code>
                        <?php } ?>
                    <?php } ?>
                    <form action="." method="POST">
                        <div class="row">
                            <div class="col-md-6 col-md-offset-3">
                                <div class="row">
                                    <div class="col-md-9">
                                        <input type="password" class="form-control" name="pass" placeholder="Password" />
                                    <div class="col-md-3">
                                        <input type="submit" class="btn btn-primary" value="Submit" />
                    source at <a href="source.php" target="_blank">/source.php</a>

In source.php we see an if statement that runs if our HTTP verb was POST. Then it extracts the variables from $_POST. Then it compares our $pass variable with the value of $thepassword_123, and if they are equal it will echo us out the flag! We just need to make those two values equal. Luckily, it appears to indiscriminately extract variables from $_POST, so we whip out a tool (Fiddler) to manually send a POST request.


Instead of just submitting the $pass variable in the body of our POST, let’s also submit $thepassword_123. So our POST looks something like

	Content-Type: application/x-www-form-urlencoded;


Now we can see what we got back from the server, and under the The Ducks header, we have an alert with the flag in it!