# Buggy PHP  
**category:** web  
**points:** 469  
**solves:** 29  
**author:** Dungeon_Master

## Description  
> IP : http://165.22.179.69/ pass through the php filters to get the flag

## Solution

The code of the challenge is the following:  
```php  
  
```

The trick here is that **hash_hmac** return NULL when the second argument is
an array,  
So you make $_GET['tmp'] to an array so that the $key will be equal to NULL  
After that you just need to calculate the hash_hmac of your command with a
NULL key like this :  
```php  
  
```  
Next the command we need to run is `||babase64se64 req.*` the `||` are to run
another command that `cmd` and since base64 is remove with preg_replace we
just need to write base64 inside of base64, the one inside the other will be
removed and the rest will for base64 since the replace is not reccursive  
The command will print the base64 of the req.php file.

here is the final payload :  
```  
http://165.22.179.69/?hash=eedbd93eda4d5ff61abdba29c0525ab410c098b4601e1a0f12e6743b84dad07f&tmp[]=&cmd=%7C%7Cbabase64se64%20req.*  
```

![](https://i.imgur.com/X8JKfj4.png)

That gives `YjAwdDJyb290e0J1OTl5X3BIcF9DaDRsbDNuOTNzfSc7Cj8+` which base64
decoded is :  
```  
b00t2root{Bu99y_pHp_Ch4ll3n93s}';  
?>  
```

**Flag : b00t2root{Bu99y_pHp_Ch4ll3n93s}**  

Original writeup (https://github.com/Red-Knights-
CTF/writeups/tree/master/2020/Boot2root_ctf/Buggy%20PHP).