#### [https://waletsec.github.io/posts/2021-04-26-You-should-die-
HeroCTF.fr.html](https://waletsec.github.io/posts/2021-04-26-You-should-die-
HeroCTF.fr.html)  
### You will need

\- Web browser  
\- Curl command

### Solution

We go to the address given to us -
[http://chall1.heroctf.fr:9000/](http://chall1.heroctf.fr:9000/).  
Here, if we open DevTools, we can find an interesting comment inside the
`body` element.  
```html  
<body id="page-top">  
  
```  
We have got the information that `admin.php.bak` is not removed, so we go
there, and look at how admin.php code looks like -
[http://chall1.heroctf.fr:9000/admin.php.bak](http://chall1.heroctf.fr:9000/admin.php.bak)  
```php  

Original writeup (https://waletsec.github.io/posts/2021-04-26-You-should-die-
HeroCTF.fr.html).# **Presentation**  
The objective is to find the flag hidden in the site.  
# **Flaw Exploited**  
The flaw exploited is in the HTTP request. Indeed this one returns an
interesting element. There is also a flaw in the files left in the site.  
# **Solution**  
Looking at the source code of the site, we see that he writes that the
developer should not forget to remove the admin.php.bak.  
We can therefore try to recover the file from the url.  
We see in the file that at the end of the php code, it executes the command  
`echo flag`  
We must therefore try to access the admin.php file.  
I have personally used the Burpsuite tool to retrieve the requests that are
returned.  
When we try to access admin.php the site sends us a request with the flag
inside.

If you liked this writeup you can check our github with this
[link](https://github.com/PoCInnovation/ReblochonWriteups/tree/master/PicoCTF2021)
and star our repository.

Equipe Reblochon HeroCTF