[wustctf2020] plain

Nothing , Directory scan found robots.txt

After the visit , Tell me , This is not flag,emmmm

Grab a bag and have a look , Find out fl4g.php

Access to the source code

<?php
header('Content-type:text/html;charset=utf-8');
error_reporting(0);
highlight_file(__file__);


//level 1
if (isset($_GET['num'])){
    
    $num = $_GET['num'];
    if(intval($num) < 2020 && intval($num + 1) > 2021){
    
        echo " I inadvertently looked at my Rolex ,  I don't want to see the time ,  Just want to inadvertently ,  Let you know I'm better than you .</br>";
    }else{
    
        die(" Money can't solve the essential problem of the poor ");
    }
}else{
    
    die(" Go to Africa ");
}
//level 2
if (isset($_GET['md5'])){
    
   $md5=$_GET['md5'];
   if ($md5==md5($md5))
       echo " Think of this CTFer Get flag after ,  grateful ,  Run to Donglan bank ,  Find a restaurant ,  Get the chef out of here ,  Stir fry two special dishes by yourself ,  Pour a glass of white wine in bulk ,  How to get rich ,  Don't be a little violent .</br>";
   else
       die(" I quickly called my fair weather friend ,  He made a phone call ,  Put his family in Africa ");
}else{
    
    die(" Go to Africa ");
}

//get flag
if (isset($_GET['get_flag'])){
    
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
    
        $get_flag = str_ireplace("cat", "wctf2020", $get_flag);
        echo " Think of it here. ,  I'm full and happy ,  The happiness of rich people is often so simple and unadorned ,  And it's boring .</br>";
        system($get_flag);
    }else{
    
        die(" It's almost Africa ");
    }
}else{
    
    die(" Go to Africa ");
}
?> 

Take a general look at , There are three places to bypass

1. level 1

if (isset($_GET['num'])){
    
    $num = $_GET['num'];
    if(intval($num) < 2020 && intval($num + 1) > 2021){
    
        echo " I inadvertently looked at my Rolex ,  I don't want to see the time ,  Just want to inadvertently ,  Let you know I'm better than you .</br>";
    }else{
    
        die(" Money can't solve the essential problem of the poor ");
    }
}else{
    
    die(" Go to Africa ");
}

num To be less than 2020, To be satisfied again num+1 Greater than 2021, Here we need to make use of intval Function
intval： Get the integer value of the variable , If intval The function parameters are filled in the string of scientific counting method , Will e The preceding number is used as the return value for scientific counting + The number will return the string type
Pass in num=1e4 Successfully bypassed

2. level 2

if (isset($_GET['md5'])){
    
   $md5=$_GET['md5'];
   if ($md5==md5($md5))
       echo " Think of this CTFer Get flag after ,  grateful ,  Run to Donglan bank ,  Find a restaurant ,  Get the chef out of here ,  Stir fry two special dishes by yourself ,  Pour a glass of white wine in bulk ,  How to get rich ,  Don't be a little violent .</br>";
   else
       die(" I quickly called my fair weather friend ,  He made a phone call ,  Put his family in Africa ");
}else{
    
    die(" Go to Africa ");
} 

Need to find a value ,MD5 Before encryption and MD5 After encryption, the value is the same , What we use here is ==, Weak type comparison , Then find a value that is 0e start ,MD5 After encryption, it's also 0e Just the beginning ：0e215962017

3. get flag

if (isset($_GET['get_flag'])){
    
    $get_flag = $_GET['get_flag'];
    if(!strstr($get_flag," ")){
    
        $get_flag = str_ireplace("cat", "wctf2020", $get_flag);
        echo " Think of it here. ,  I'm full and happy ,  The happiness of rich people is often so simple and unadorned ,  And it's boring .</br>";
        system($get_flag);
    }else{
    
        die(" It's almost Africa ");
    }
}else{
    
    die(" Go to Africa ");
} 

Will the incoming $get_flag Execute as an order , But the spaces are filtered , And will put cat Replace with wctf2020
Space use $IFS$1 To bypass ,cat No use , Then use nl, First ls See if there is flag file

It should be this fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
Read and have a look