 Natus level 24 showcases another example of basic PHP type juggling, and this is probably the most common one that I've seen practically ever in the capture-to-flag scene. So this is, and again, this function itself is what you're going to see as an immediate telltale as to how you can get around this. So the PHP code that's testing the source code in Natus level 24, there's the same password for mentoring and text input as we've seen in the previous level, and they're testing, okay, again, if you've submitted this form, if the array key exists in the request, what it does is it tests, does the password match something, whatever it may be. And this is going to be whoever knows the flag or the password, and again, in this case, so it's censored because we don't want to know, or the game doesn't want us to know what the password is, but that's our objective to find out. So string compare is an interesting PHP function because it returns a zero if it's an identical string. It returns whether or not they are identical, and the way that it does that is determining whether or not there are differences. So returns less than zero if string one is less than string two, greater than string one if it's greater than, and zero if they are equal. So the way that some people test, okay, these things are identical is by nodding, or using the exclamation point here to say if these things not return zero as in this condition evaluates to true, then these passwords are the same. This input is the same as maybe the flag or whatever you're trying to get out here. So this is an interesting example of the password type juggling though, or the PHP type juggling, because we have control over this as a request variable, that we pass through HTTP, what's to say we don't make this a string anymore? What's to say we make that an array? So let's go over to the code and I'll show you how this is done. If I go ahead and request this page simply with the get request, we have, okay, there's the view source. Let's go ahead and make a post request. Let's just post this data can be the password, and we'll set it to anything here because we don't know what it's supposed to be. We'll call it like please sub. And that will return wrong in this case. I forgot the comma. Okay, I do this way too often. Sorry, guys. We will know, okay, that's going to be interpreted as a string. We don't know what it is. We actually need it to equal, so it's going to return wrong. But because we're passing this in as an HTTP post variable and we're passing it in raw, we're able to modify it. And let's say the password variable is no longer a string. We can denote it to be an array by adding these square braces kind of at the very end of the variable name. Now, if I run this, the response that we'll get back is a PHP warning. It'll spit up on us. It'll say, hey, string compare expect parameter one to be a string, but we gave it an array. And this will fall out. All of a sudden the string compare will return zero because I guess that's just what it knows to do on that point. You can see that in the documentation. And it says the credentials for the next level are natus 25 and we've got the password. So just like that, interesting gimmick in PHP type juggling that SCR CMP the string compare function is notorious for having that. And you'll see it time and time again in some kind of low level, you know, capture the flag web exploit stuff. So let's save this as natus 25 and let's keep moving. So thank you guys for watching. I hope you are enjoying these videos. If you are, please do leave a like, maybe comment. Let me know what you think what you'd like to see what I suck at what how you're solving the stuff, etc, etc. If you're willing to subscribe. And if you really want to help me out, please support me on Patreon. I want to showcase some of the supports I have currently. So shout out to Spencer Clark and gal Horowitz. Please forgive me if I butcher your name $1 or more and I can give you a shout out in the video and $5 or more. And I'll give you early access to as much as I can whenever I upload things to YouTube. I normally do them in advance. I'll schedule them for a gradual release schedule. But if you don't want to wait, I can get you them as soon as I'm done recording and as soon as the content's ready. So thank you guys. Again, I'll see you in a later video.