English [Cybercamp 2015] [Web 5 – Easter eggs is always fun] Write Up


Title : Easter eggs is always fun

Actually, this challenge is not what we could call a good challenge. It’s just a little trick we had to find.

The website is as simple as possible, there is just one big button we can click. The other ones leads to nothing. When we try to click on this button, we clearly see that three parameters are sent via GET.

web5 index
ONE button

My first thought was to modify these parameters, by trying to set easter to “false”, next to “nogo”, etc. Unfortunately, nothing happened. I also tried other things, like add parameter “previous”, send these parameters with a POST request, delete some parameters, but each try was a fail.

So, let’s think about this challenge a bit. We could win only 200 points with this one, which isn’t huge. I guessed that the trick isn’t hard too. The title talks about easter eggs. After an hour thinking about how to find an easter egg, I had a revealation ! The only easter egg which is easily foundable is… PHP EASTER EGGS !

There are four PHP easter eggs, that we trigger by loading a special PHPSESSID in GET parameter.

What about giving it a try?

web5 credits
AMAGAD ! A PHP Credits page

As I saw the page loading, I was like “Oh my god, that’s not possible, it couldn’t be THAT !?” Let’s try another easter egg PHPSESSID.

web5 flag
Yep ! It is the flag

And here is the flag !
To be honest, I disliked this challenge, because it was just a trick to find out.


The lsd

Leave a Reply

Your email address will not be published. Required fields are marked *