[anudeep's space]

Apriti sesamo

Apr 06, 20254 min read

Challenge

LinkDifficultyStatus
https://play.picoctf.org/practice/challenge/467?category=1&originalEvent=74&page=1Static BadgeStatic Badge

Note

Description

I found a web app that claims to be impossible to hack! Try it here!

Solution

Launching the application shows the following page. Clicking on login brings up a login page. Tinkering around didn’t reveal any possible attack surfaces. Let us look at the hints.

Note

Hint 1

Backup files

Hint 2

Rumor has it, the lead developer is a militant emacs user

From the hints, it has something to do with emacs editor and it’s backup feature. After a quick google search, it turns out that emacs editor by default creates backup file before you safe the file. If you have a file like impossibleLogin.php, it creates a backup file named impossibleLogin.php~.

Let us try and see if we can access that file by changing the url to have ~ at the end of the url. At first instance it looks like the page we have previously seen, but looking at the source of the file server we see php code.

So what happened here was, any file ending with .php was being interpreted by the php runtime and only the final html was served when we opened impossibleLogin.php. Now that we tried to access impossibleLogin.php~ it is no longer interpreted by the php runtime but is served as a static file which reveals the php code behind the login page.

Let us try and understand the php code.

<?php if (
    isset(
        $_POST[
            base64_decode("\144\130\x4e\154\x63\155\x35\x68\142\127\125\x3d")
        ]
    ) &&
    isset($_POST[base64_decode("\143\x48\x64\x6b")])
) {
    $yuf85e0677 =
        $_POST[base64_decode("\144\x58\x4e\154\x63\x6d\65\150\x62\127\x55\75")];
    $rs35c246d5 = $_POST[base64_decode("\143\x48\144\153")];
    if ($yuf85e0677 == $rs35c246d5) {
        echo base64_decode(
            "\x50\x47\112\x79\x4c\172\x35\x47\x59\127\154\163\132\127\x51\x68\111\x45\x35\166\x49\x47\132\163\131\127\x63\x67\x5a\155\71\171\111\x48\x6c\166\x64\x51\x3d\x3d"
        );
    } else {
        if (sha1($yuf85e0677) === sha1($rs35c246d5)) {
            echo file_get_contents(
                base64_decode(
                    "\x4c\151\64\166\x5a\x6d\x78\x68\x5a\x79\65\60\145\110\x51\75"
                )
            );
        } else {
            echo base64_decode(
                "\x50\107\112\171\x4c\x7a\65\107\x59\x57\154\x73\x5a\127\x51\x68\x49\105\x35\x76\111\x47\132\x73\131\127\x63\x67\x5a\155\71\x79\x49\110\154\x76\x64\x51\x3d\75"
            );
        }
    }
} ?>

There is a lot of base64 encoded hex strings, let me simplify it for better readability. I will be decoding all the base64 encoded strings and rewrite the above code.

<?php if (isset($_POST["username"]) && isset($_POST["pwd"])) {
    $username = $_POST["username"];
    $pwd = $_POST["pwd"];
    if ($username == $pwd) {
        echo "<br/>Failed! No flag for you";
    } else {
        if (sha1($username) === sha1($pwd)) {
            echo file_get_contents("../flag.txt");
        } else {
            echo "<br/>Failed! No flag for you";
        }
    }
} ?>

The following are the modifications I made to make it more readable:

  1. Decoded all base64 strings to ascii
  2. Change variable names.
    1. yuf85e0677 username
    2. rs35c246d5 pwd

Let us try to understand the code.

  1. When we do login a post request is raised to the same script.
  2. The script will only run if both username and password are set.
  3. It is checking if both username and password are same. If they are same it prints Failed! No flag for you.
  4. If they are not same, it checks if the sha11 hash of both username and password are same. If yes then it will print the flag.
  5. Or else it will print Failed! No flag for you.

So we need two strings that are different having the same sha1 hash, though sha1 is considered broken for security critical applications it is hard to find two such strings whose hashes are the same.

There is one weakness in how php does comparison which could be exploited when we use "==" for comparison. Read more here, the hashes used in here are called Magic hashes.

But in our case it is not possible to use because we are using "===" for comparing the hashes. We need to exploit some language feature to break this. There is nothing we can do in other comparisons except for when we are comparing hashes. Let us see the documentation of sha1() in php.

Note

sha1(string $string, bool $binary = false): string

In older version of PHP (tested in version 7.1), the strict version check was not enforced and used to typecast any thing that’s passed to a string and a warning used to be printed. But recent version php will throw an error because of strict type checking.

So in version 7, when I pass an array to sha1 function it gets type casted to a string Array. So when we compare to arrays it returns false. but when it tries to compare hashes it gets type casted to simple strings Array and the check passes resulting in printing the flag.

The usual login request body looks like below:

username=test&pwd=test

To pass an array let us craft our post request url like below:

username[]=test1&pwd[]=test

The above will result in following variables in php.

username = ["test1"]
pwd=["test"]

Since the array content is different, the first if statement will result in false. And tries to compare hashes. As described above it gets type casted to Array and compares sha1("Array")===sha1("Array"). Which results in the same hash and the comparison passes resulting in revealing the flag.

Footnotes

  1. https://en.wikipedia.org/wiki/SHA-1

Site Map

Graph View

Backlinks