Web [80 pts]
The topic of this challenge is using a SHA256 hash to encode the password. The backend is PHP. There is a well known vulnerability in using this method, called type-juggling.
Resource: Typejuggling PHP
We try to retireve any information we can, so I used dirsearch in order to find hidden directories:
It appears that there is a .git directory, containing a bunch of information about the backend and probably the source code. I also found a backup.sh file in one of the directories as well, whose purpose is to dump the entire database.
Our next step is to try to dump the entire git repository to a local directory. In this challenge, I used git-dumper.
Looking at the repository, we see an index.php, containing logic for the login mechanism and how the password is being hashed and compared:
We also see that if there is a valid match, then we can obtain the flag:
The password is being hashed with SHA256 and then compared to a row in the database. So next, we explore the git objects and use git show to obtain information about the commit.
In the above picture, it seems that the owner ran the backup.sh program that we saw earlier, dumping the entire database. Luckily, we only have to log in to one user in order to obtain the flag, so we have multiple choices here. I wanted to pick a user that had ‘0e’ and followed by all numbers to avoid further complications. In this case, it was the user: Andon1956.
Using this resource, we were able to find a ‘magic hash’ for 0e-allnumbers-: TyNOQHUS
Resource: Tyle Juggling Magic Hashes