Circus

Web [80 pts]

The topic of this challenge is using a SHA256 hash to encode the password. The backend is PHP. There is a well known vulnerability in using this method, called type-juggling.

Resource: Typejuggling PHP

Step 1

Visiting the welcome page and attempting to log in will give us a generic error:

We try to retireve any information we can, so I used dirsearch in order to find hidden directories:

It appears that there is a .git directory, containing a bunch of information about the backend and probably the source code. I also found a backup.sh file in one of the directories as well, whose purpose is to dump the entire database.

Step 2

Our next step is to try to dump the entire git repository to a local directory. In this challenge, I used git-dumper.

Looking at the repository, we see an index.php, containing logic for the login mechanism and how the password is being hashed and compared:

We also see that if there is a valid match, then we can obtain the flag:

The password is being hashed with SHA256 and then compared to a row in the database. So next, we explore the git objects and use git show to obtain information about the commit.

In the above picture, it seems that the owner ran the backup.sh program that we saw earlier, dumping the entire database. Luckily, we only have to log in to one user in order to obtain the flag, so we have multiple choices here. I wanted to pick a user that had ‘0e’ and followed by all numbers to avoid further complications. In this case, it was the user: Andon1956.

Using this resource, we were able to find a ‘magic hash’ for 0e-allnumbers-: TyNOQHUS

Resource: Tyle Juggling Magic Hashes

Step 3

After entering the username: Andon1956 and password:TyNOQHUS, we are able to login due to PHP’s type juggling and weak comparison vulnerability.

Our flag is:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s