Sunday, November 23, 2014

Natas 23

Natas 23's welcome page is just a Password form with a login button:

Looking at the source code, it looks like the credentials to Natas 24 will be given if our "passwd" parameters passes two checks:
  1. PASSWD must contain the substring "iloveyou"
  2. PASSWD > 10 must evaluate to be true

Looking through some PHP documentation, it seemed like 1e10 is valid notation and will pass the second check.

I tried a few random things, but the one that worked was appending "iloveyou" to "1e10" like this:


  1. Old post, I know, but wanted to say I used 11iloveyou. I have no idea why it evaluates true for > 10, but it worked for me. 11 > 10 is true, but why does it trim the int from the string? I tried it using other numbers greater than 10 and they were all valid entries.

    1. Php has no NaN, so it grabs the first number it sees or 0 if it doesn't find one.

  2. What also Works is this: 12.."iloveyou" making use of mixed types in php!