This challenge was a WebApp in which you could buy some things among which there was the flag. One little problem: the flag costed 100k$ and you have… no money. No difference from real life.

Navigating through the tabs one could find a “subscribe” button which, when feeded a “valid” email address would print out a coupon code that would apply a 10% discount.

First thing I thought was “well, let’s try to submit multiple coupons”… Obviously it failed.

The WebApp processed one coupon at a time. After trying to SQL inject various payloads (all of which miserably failed) we thought that maybe there was a LFI given the ?page= parameter. The LFI did not work of course (did something simple ever worked at all?) but later on it turned out the trick was fairly simple:

  1. Subscribe and obtain a coupon;
  2. Modify the page parameter inserting index. By doing so the page recursively loaded itself (like a… fractal);
  3. Apply the coupon inside the inner-most page so it will be applied n times, until the flag’s cost reaches 0;
  4. Profit.

I’m getting sick of online shops.