To win this level it would appear that we need to get $_REQUEST[“passwd”] to match the value of “censored”.  Maybe there is another way though.  Let’s see what the comments on php.net have to say about the strcmp() function. As it turns out !strcmp(“foo”, array()) returns “1” AKA “true”, For

So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true.  Let’s examine the behavior of the PHP “>” operator: According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a

If you though the last level was easy, this one is even easier. Alls we have to do is set revelio=1 for the win:

This one was really easy: Alls we have to do is set admin=1 for the win.  Let’s try: Well that didn’t work.  What’s up with this experimenter thing anyway?  I wonder what would happen if we used the PHPSESSID from that and made the same request?   Oh…that’s what happens.

There is a lot of code in this one so lets focus in on the some of the more important parts: Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win.  We don’t have direct control over the $_SESSION array, but the following code offers an