2024-01-28 ยท Linux ยท PHP analysis

๐•‹๐•ฃ๐•ชโ„๐•’๐•”๐•œ๐•„๐•– ๐•Ž๐•’๐•๐•œ๐•‹๐•™๐•ฃ๐• ๐•ฆ๐•˜๐•™ โ€” ๐•ƒ๐Ÿ›๐•’๐•œ_โ„‚๐•‹๐”ฝ

by 0xYumeko ยท 2024-01-28 ยท Linux PHP Code Analysis

Summary: This walkthrough covers the main steps to solve the L3ak_CTF challenge on TryHackMe โ€” enumeration, web analysis, and a short PHP code review that reveals the flag construction logic.

Step 1 โ€” Enumeration

Start by mapping hostnames to the target IP so your browser and tools can use friendly names instead of raw addresses.

echo "<TARGET_IP> l3ak.thm" | sudo tee -a /etc/hosts
Host mapping Nmap scan Gobuster results Directory listing

1. Start with an Nmap Scan

Use Nmap to find open ports and service versions.

nmap -sC -sV -oN nmap_scan <target_ip>

Examine the Web Server

If HTTP is present, browse the site and use directory discovery tools.

gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Hidden directories may reveal interesting files (e.g., /1/index.html).

Hidden index Source code

Show page source

Inspect the HTML/PHP source for comments or embedded code. Below is the raw page output that was discovered โ€” it contains an obfuscated PHP segment used to build the flag string.

<?php if($_SERVER["REQUEST_METHOD"]=="POST"){$9="B";$3="A";$4="K";$5="{";$11="}";$6="T";$username=$_POST["username"];$password=$_POST["password"];$8="_";$2="3";$pdo=new PDO("mysql:host=localhost;dbname=mydatabase","username","password");$10="S";$7="H";$1="L";$flag=$1.$2.$3.$4.$5.$6.$7.$8.$9.$10.$11;$stmt=$pdo;prepare("SELECT * FROM users WHERE username=?");$stmt execute([$username]);$user=$stmt fetch();if($user&&password_verify($password,$user['password'])){session_start();$_SESSION['user_id']=$user['id'];echo"Welcome,".htmlspecialchars($user['username'])."this is your flag".$flag."!";}else{echo"Invalid username or password.";}}?>

PHP Code Analysis

The code uses single-character variable names and concatenation to build the flag. For clarity, here's a cleaned and fixed version of the PHP snippet discovered:

<?php 
if($_SERVER["REQUEST_METHOD"]=="POST"){ 
    $9="B"; $3="A"; $4="K"; $5="{"; $11="}"; $6="T"; 
    $username=$_POST["username"]; $password=$_POST["password"]; $8="_"; $2="3"; 
    $pdo=new PDO("mysql:host=localhost;dbname=mydatabase","username","password"); 
    $10="S"; $7="H"; $1="L"; 
    $flag=$1.$2.$3.$4.$5.$6.$7.$8.$9.$10.$11; 
    $stmt=$pdo->prepare("SELECT * FROM users WHERE username=?"); 
    $stmt->execute([$username]); $user=$stmt->fetch(); 
    if($user && password_verify($password, $user['password'])){ 
        session_start(); 
        $_SESSION['user_id']=$user['id']; 
        echo "Welcome, ".htmlspecialchars($user['username']).", this is your flag: ".$flag."!"; 
    } else { 
        echo "Invalid username or password."; 
    } 
} 
?>

Flag reconstruction

Substitute the single-character variables and concatenate them to get the flag characters:

$1 = "L"
$2 = "3"
$3 = "A"
$4 = "K"
$5 = "{"
$6 = "T"
$7 = "H"
$8 = "_"
$9 = "B"
$10 = "S"
$11 = "}"

# -> L3AK{TH_BS}
So, the final flag is:

L3AK{TH_BS}