/challenges/crypt/aes/fshop.php
Clasificación / Classification: No resuelto aún 
Not solved yet [ Resuelto / Solved q:^D ]
Clasificación / Classification: No resuelto aún Not solved yet [ Resuelto / Solved q:^D ]
<?php
include("../../../core.php");
print Website::header(array("title"=>"The AES Crypt Chall"));
print Challenges::header();
?>
<?php
$flag = "**removed**";
$iv = "**removed**";
$key = "**removed**";
include(Config::$challsHiddenDataPath."fshop_data.php"); //Load flag, iv and key values from internal config
$img = dirname($_SERVER["PHP_SELF"])."/support_files/shop.jpg";
function pkcs7_pad($string){
$cipher = MCRYPT_RIJNDAEL_128;
$mode = MCRYPT_MODE_CBC;
$blocksize = mcrypt_get_iv_size($cipher, $mode);
$len = strlen($string);
$pad = $blocksize - ($len % $blocksize);
$string .= str_repeat(chr($pad), $pad);
return $string;
}
function pkcs7_unpad($data){
$pattern = substr($data, -1);
$length = ord($pattern);
$padding = str_repeat($pattern, $length);
$pattern_pos = strlen($data) - $length;
if (substr($data, $pattern_pos) == $padding)
{
return substr($data, 0, $pattern_pos);
}
}
function aes128_cbc_encrypt($str, $iv, $key){
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, pkcs7_pad($str), MCRYPT_MODE_CBC, $iv));
}
function aes128_cbc_decrypt($str, $iv, $key){
return pkcs7_unpad(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($str), MCRYPT_MODE_CBC, $iv));
}
function split_values($data)
{
$vars = explode("|", $data);
if (count($vars) != 2)
return NULL;
$token = explode("=", $vars[0]);
$priv = explode("=", $vars[1]);
if (count($token) < 2 || count($priv) < 2)
return NULL;
return array('token'=>$token[1], 'private'=>intval($priv[1]));
}
$private_mode = 0; # set to "1" for private info display
$error_msg = "";
if (isset($_POST["user"]) && empty($_POST['user']))
$error_msg="Please, provide some username...";
if (!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['csrf_token']))
{
if ($_POST['user'] != strrev("tseug") || $_POST['pass'] != base64_decode("CSRwNHQ0dDQ="))
$error_msg='Sorry, invalid username/password!';
else
{
$data = "token=". $_POST['csrf_token'] ."|". "private=$private_mode";
setcookie("token", aes128_cbc_encrypt($data, $iv, $key));
header("Location: ".$_SERVER["PHP_SELF"]);
die();
}
}
if (!empty($_COOKIE['token']))
{
$dec = aes128_cbc_decrypt($_COOKIE['token'], $iv, $key);
$vars = split_values($dec);
if (is_null($vars))
die("<script>alert('Are you trying to hack our shop? try harder!'); history.go(-1);</script>");
print "<br>Login mode: <b>" . ($vars['private'] ? "private":"public") . "</b><br>";
if ($vars['private'] === 1)
print "Welcome back <b>Mr.Fl1p</b>! : for scoring use this flag: <b>$flag</b>";
else
{
print "Hello <b>guest</b>.\n";
print "We're sorry but at this moment we can't sell you any item from our shop because we've been hacked :(";
}
}
else
{
?>
<?php
print "<div align=center><br>";
print "<h2>Welcome to Fl1pShop! :)</h2>";
print "<h3>by @<a href='?mo=Pm&me=send&to=danigargu'>danigargu</a></h3>";
print "<img src='$img' border=0 width=640 vspace=8 style='border-radius:80px'>";
print "</div>";
print "<table style='background:rgba(40,0,0,0.8);padding:12px;position:relative;top:-140;border-radius:8px;' align=center border=0><tr><td colspan=3 align=center>";
print "</td></tr>";
?>
<form method="POST" action="">
<input type="hidden" name="csrf_token" value="<?=md5(rand(0,999))?>">
<tr>
<td align=center>Username</td><td> : <input autocomplete="off" type="text" name="user" value="" /></td>
<td rowspan=2><input type="submit" name="submit" value="LOGIN" style='border-radius:8px;width:60px;height:60px;'></td>
</tr>
<tr><td align=center>Password</td><td> : <input autocomplete="off" type="password" name="pass" value="" /></td></tr>
<?php
if (!empty($error_msg)) print "<tr><td colspan=3 align=center>$error_msg</td></tr>";
?>
</form>
<?php
}
print "</table>";
print Challenges::solutionBox();
print Challenges::checkSolution($flag);
?>
<a href="<?=$_SERVER["PHP_SELF"]?>?showSource">Ver código fuente</a>
<?php
if(Common::getString("showSource")!==false) {
print "<div class=sourcecode>";
highlight_file(__FILE__);
print "</div>";
}
print Website::footer();
?>