Official LoveTok Discussion

The worst challenge ever and too boring cuz of php.

I’ve got the info, but really struggling to go any further. Can I message someone please?

I put a lot of logging code to the source code to see what is happening in the background. I suspect two vulnerable functions. However, when I try injection using multi-byte characters my log messages become empty strings and the server does not break.
If anyone can give me a nudge, I would be very thankful.

As someone with minimal PHP experience, this was quite the frustrating “easy” challenge. I finally figured it out but it wasn’t a good looking solution by any means. I did learn a lot though!

Could anyone PM me a hint?

Spent a good 2 hours researching for techniques to bypass that one function…
As it turned out, DuckDuckGo may be excellent to have some privacy, but the search results can be quite bad. With Google, I did 2 searches and the answer was in the Top 3.

Also fell into a deep rabbit hole because I didn’t fully understand how the first technique I researched works, and that it isn’t applicable here. Some 2-3 hours lost in php -a

The vuln is obvious, how to package/structure/format/encode the payload is literally 10 minutes of Google. Really hard to give hints without spoiling everything.

I’m able to see the file name for the flag but stuck at opening the file, can anybody PM me a hint ?

can anyone DM me for a hint?

Type your comment> @octopus175 said:

can anyone DM me for a hint?

NVM just got flag, big thanks to @NoMad for the help!

Can anyone give me some hints I stuck at bypass that one function

Looking into the error log, I saw some undefined constant x - assumed “x”.
Is there anybody that ran some exploit that doesn’t show that message?

I guess that in future versions of PHP this might be corrected, and my exploit is no more available.

For some reason right answer i think because of typo didnt work ad i switched to other ideas, while first one was right. So always check things few times. sit happens

Major Spoiler. Please edit your post.

In my opinion, the error is correct. Your customized GET or POST paramters are not passed to the Model function.

In the access log, there are some variables that are passed through requests.

Can’t figure out where the flag is… I’m starting feeling stupid xD any advice?

Edit: done, i need more sleep probably

really simple challenge!
don’t waste your time on hard tricks.
just look which input you can control and try to bypass something.

The challenge is not easy, for people like me who do not know php very well it is complicated since there are certain parameters that I did not know existed, such as &… but it is really easy if you know php or at least understand something … It was still fun if anyone needs help they can write to me at discord:Bryan_2555#9878

I didn’t know this thread was alive too :flushed:
LoveTok was my third webhack, an easy one for people who already know php

I had never used php before, so it was very hard to think of something, I ended up seeing many things until I discovered that little secret, and also made a makeshift webshell days later just to say to myself it wasn’t that hard

If anyone need help, R is always here :heart:

1 Like

Well that was a humbling way to be reminded of how much PHP I’ve forgotten. Fun challenge though.

The ratings definitely make sense for this box. Easy if you know php and I rated medium for that reason.