At first look, level 11 seems to be related to something specific to PHP scripting because it shows a very big PHP logo.
After taking a careful look, the PHP logo looks different from the original logo. Moreover, if you read the page source, you will noticed that the PHP logo is named as “img/php-logo-virus.jpg”. Why name the file as virus?
Just to be sure, let’s run it using the file command to identify what kind of file is it. In my Linux system, I run the file command:
And below is the output:
php-logo-virus.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96×96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, name=infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w], baseline, precision 8, 450×237, frames 3
Did you see it? It says “infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w”
Running the encoded portion of the string through a base64 decoder tool will give you the following URL – “http://www.rollerski.co.uk/imagesb/p”, which essentially leads to an Error 404, page not found.
My logic – since the string turned out of be quite legit, yet the URL points to nothing. Probably the URL is incomplete. Therefore to verify this, we can run a strings command on the file to see what are the existing strings contained in the file.
Below is the output,
True enough, the string we gotten earlier was incomplete. Now we have the complete string:
Let us put it through the base64 decoder tool again – there, it returns an image file – http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif
As strange as it seems to be, this is the flag for level 11, “infosec_flagis_powerslide”