TUCTF 2019

login to access

If at first you don't login, maybe back up.

URL: http://chal.tuctf.com:30001/

Recon

Dir found: / - 200
File found: /login.php - 308
File found: /con.php - 200
Dir found: /icons/ - 403
File found: /login.php - 200

/con.php is an empty page. Sending a POST reveals a new response header: X-Powered-By: PHP/7.2.24.

Flag

Stared at the website, read the description "back up", tried login.php.bak, obtained flag.

<?php
$username = $_POST["username"];
$password = $_POST["password"];
$flag = "TUCTF{b4ckup5_0f_php?_1t5_m0r3_c0mm0n_th4n_y0u_th1nk}";
$query = "SELECT * FROM users WHERE user='$username' AND password='$password'";

if (true){
    echo '<link href="login.css" rel="stylesheet" type="text/css">';
            echo "<h1>Login failed.</h1>";
}
else {
    $result = mysqli_query($conn,$query);
        $row = mysqli_fetch_array($result,MYSQLI_NUM);

        if ($row) {
        echo "<title>You found it!</title>";
                echo '<link href="login.css" rel="stylesheet" type="text/css">';
                echo "<h1>$flag</h1>";
    }
    else {
        echo '<link href="login.css" rel="stylesheet" type="text/css">';
            echo "<h1>Login failed.</h1>";
        }
}
?>

TUCTF{b4ckup5_0f_php?_1t5_m0r3_c0mm0n_th4n_y0u_th1nk}