Siss3l · February 11, 2025 00:34
diff --git a/chall.py.php b/chall.py.php
 """<?php

 function source() { // require("key.php");
  echo "<pre>";
  highlight_string(file_get_contents(__FILE__));
  echo "</pre>";
 }

 function quit() {
  // source();
  die();
 }

 function encrypt($input) { // OPENSSL_RAW_DATA=1
  $res = openssl_encrypt($input, "AES-128-ECB", "biglongsecretkey", 1);
  return $res; // bin2hex(openssl_random_pseudo_bytes(8))
 }

 function decrypt($input) {
  $res = openssl_decrypt($input, "AES-128-ECB", "biglongsecretkey", 1);
  return $res;
 }

 if (!isset($_COOKIE["key"])) {
  $username = (isset($_GET["username"])) ? $_GET["username"] : "guest";
  $password = (isset($_GET["password"])) ? $_GET["password"] : "guest";
  if (preg_match("/admin=1/i", $username) || preg_match("/admin=1/i", $password)) { quit(); }
  $cookieenc = encrypt("name=$username;admin=0;password=$password;userid=1337");
  setcookie("key", base64_encode($cookieenc)); $_COOKIE["key"] = base64_encode($cookieenc);
 }

 if (strpos(decrypt(base64_decode($_COOKIE["key"])), "admin=1") !== false) {
  echo "Bravo, you can validate with the following flag: " . "M01_J41M3_L35_GR0535_L4MPE5";
  die(); // echo "<img src='https://media.giphy.com/media/H6CDICYUiPAwE/giphy.gif'/><br>";
 } else {
  echo "Plaintext cookie : " . decrypt(base64_decode($_COOKIE["key"])) . "<br>"; quit();
 }
 // source(); ?>"""
 def flag(): # php -S localhost:1234
  c = __import__("requests").utils.unquote(__import__("requests").get("http://localhost:1234/chall.py.php?username=aaaaaadmin=&password").cookies.get_dict()["key"])
  d = [c[i:i+22-1] for i in range(0, len(c), 22-1)]
  for i in range(1, 65+1):
    for k in __import__("itertools").permutations(__import__("string").printable[:65], i):
      key = d[0] + "".join(k) + d[1][len(k):] + d[2] + d[3] + "======"
      x = __import__("requests").post("http://localhost:1234/chall.py.php", cookies={"key":key})
      y, z = __import__("re").search(r"Plaintext cookie.*1337", x.text), __import__("re").search(r"Bravo.*", x.text)
      if x is not None and y is None and z is not None: _ = exit((key, z.group())) if len(x.text) <= 100 else 0
      if "".join(k)[-1::] == "Z": print(key)
 flag()
	"""<?php

	function source() { // require("key.php");
	echo "<pre>";
	highlight_string(file_get_contents(__FILE__));
	echo "</pre>";
	}

	function quit() {
	// source();
	die();
	}

	function encrypt($input) { // OPENSSL_RAW_DATA=1
	$res = openssl_encrypt($input, "AES-128-ECB", "biglongsecretkey", 1);
	return $res; // bin2hex(openssl_random_pseudo_bytes(8))
	}

	function decrypt($input) {
	$res = openssl_decrypt($input, "AES-128-ECB", "biglongsecretkey", 1);
	return $res;
	}

	if (!isset($_COOKIE["key"])) {
	$username = (isset($_GET["username"])) ? $_GET["username"] : "guest";
	$password = (isset($_GET["password"])) ? $_GET["password"] : "guest";
	if (preg_match("/admin=1/i", $username) \|\| preg_match("/admin=1/i", $password)) { quit(); }
	$cookieenc = encrypt("name=$username;admin=0;password=$password;userid=1337");
	setcookie("key", base64_encode($cookieenc)); $_COOKIE["key"] = base64_encode($cookieenc);
	}

	if (strpos(decrypt(base64_decode($_COOKIE["key"])), "admin=1") !== false) {
	echo "Bravo, you can validate with the following flag: " . "M01_J41M3_L35_GR0535_L4MPE5";
	die(); // echo "<img src='https://media.giphy.com/media/H6CDICYUiPAwE/giphy.gif'/><br>";
	} else {
	echo "Plaintext cookie : " . decrypt(base64_decode($_COOKIE["key"])) . "<br>"; quit();
	}
	// source(); ?>"""
	def flag(): # php -S localhost:1234
	c = __import__("requests").utils.unquote(__import__("requests").get("http://localhost:1234/chall.py.php?username=aaaaaadmin=&password").cookies.get_dict()["key"])
	d = [c[i:i+22-1] for i in range(0, len(c), 22-1)]
	for i in range(1, 65+1):
	for k in __import__("itertools").permutations(__import__("string").printable[:65], i):
	key = d[0] + "".join(k) + d[1][len(k):] + d[2] + d[3] + "======"
	x = __import__("requests").post("http://localhost:1234/chall.py.php", cookies={"key":key})
	y, z = __import__("re").search(r"Plaintext cookie.1337", x.text), __import__("re").search(r"Bravo.", x.text)
	if x is not None and y is None and z is not None: _ = exit((key, z.group())) if len(x.text) <= 100 else 0
	if "".join(k)[-1::] == "Z": print(key)
	flag()