Web

PHP’s loose comparison treats an array as truthy against any string. Sending password[] as an array in the POST body bypasses the string comparison and grants access.

The app tracks clicks with an integer cookie. Skip the clicking by setting ‘cookies’ to 10000000 directly and request the page — the server trusts the cookie value and returns the flag.

PHP’s loose == treats any string starting with ‘0e’ followed by digits as the float 0. Pass a known magic hash input whose MD5 begins with 0e to bypass a hash comparison.

The session cookie is a URL-encoded base64 of a JSON string like ‘id-role-username’. Decode it, change the role to 0 and username to admin, re-encode, and access the admin page.

The buy endpoint accepts a ‘costo’ (price) POST parameter from the client. Sending costo=0 purchases the expensive flag item for free.

The flag is not in the response body — it is stored in a custom HTTP response header called ‘Flag’. Use a HEAD request and read r.headers[‘Flag’].

Craft a file that is simultaneously a valid GIF (magic bytes GIF89a) and a PHP shell (<?php echo system('cat /flag.txt'); ?>). Upload it via the image upload form, find the timestamped filename in the response, and request that URL to execute the shell.

The login form runs client-side JS. Deobfuscating or inspecting it reveals a hardcoded secret key used to AES-decrypt the flag — the key is plaintext at the top of the obfuscated script.

The theme parameter appends .css to the user-supplied path before serving it. Use …/ triples (which reduce to ../) and a URL-encoded null byte to escape the CSS directory and read /flag.txt.

Pass the GET parameter as an array (?richiesta[]=sas) to make PHP receive an array instead of a string, bypassing the string equality check and revealing the flag.