RSS
 

Posts Tagged ‘php’

Hackvent 2019: Day 23

24 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 23 December 2019

 

Challenge

HV19.23 Internet Data Archive

Solution

We are presented with the following website:

 

We are allowed to enter a username and select some data to download except the flag which is classified. Upon doing this a unique zip file is generated for us containing our files and we are also provided with a password that allows us to open the encrypted zip file.

By playing around with the website we learn the following things:

  • Usernames are truncated to be at most 12 characters long (alphanumberis)
  • Passwords are always 12 digits (alphanumeric) and look like this: BxxRGJAMpmbJ
  • All links to download files contain the input username with -data appended. Example for username of mohttp://whale.hacking-lab.com:23023/tmp/mo-data.zip
  • Can pass in req instead of req[] as PHP post argument to trigger PHP error:
  • Can pass in username[] instead of username as PHP post argument to make name be parsed as Array: http://whale.hacking-lab.com:23023/tmp/Array-data.zip
  • We cannot use the username Santa (it is explicitly disallowed!)

 

We shortly find out that the tmp directory where files are hosted has indexing on and we can see all the files that are being created. By sorting by oldest files first we discover two interesting files:

We download Santa-data.zip and discover that it contains a file called flag.txt! However, we do not know the password for this archive.
Assuming alphanumerics are used as the charset for the password our bruteforce complexity is 62^12 which not feasible.

Next, we inspect the phpinfo for any valuable information, we take note of the PHP version 7.4.1 and that the sodium module is loaded (although this doesn’t matter).

Next we write a password generator script to generate a lot of tokens:

After generating 1000 passwords we run frequency analysis on the payload and discover that certain characters never appear. These characters are 0, 1, l, I, N, n, O, o. Perhaps these characters are committed as they look similar to other characters. Eliminating this characters from our charset brings down our bruteforce complexity to 54^12 which is still not feasible.

We note the title of the challenge page IDA Pro and after researching for IDA Pro PRNG we come across this interesting article:
https://devco.re/blog/2019/06/21/operation-crack-hacking-IDA-Pro-installer-PRNG-from-an-unusual-way-en/

The author describes the same exact charset that is in use here so we try to use the same approach to break the PRNG used to encrypt the Santa-data.zip file. We decide to use PHP for this with the same version 7.4.1 as the challenge website to ensure consistency.

We make the following bruteforce.php script:

This script simply generates a random 12 length password using the first 12 bytes of randomness generated by the RNG for each seed between 0 to 2^32. However, we cannot save this data to disk easily so we will instead stream the data to a ZIP cracking utility like John the Ripper to attempt to crack the file on the fly.

We run:

After about 2 minutes we have a successful crack:

Thus our password is Kwmq3Sqmc5sA and the original seed used was 4333287.
We open flag.txt to get our daily flag!

Flag:  HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}

 
No Comments

Posted in Hackvent 2019

 

Fix PHP 500 Internal Server Error when using date()

31 May 2016

For a particular project I was working on, I set up a website with a really simple script that used the php date() function. However, the use of the date() function resulted in a 500 internal server error. After some testing, I determined this was caused because of a configuration in php.ini. There was an invalid value for the date.timezone setting.

This is what my php.ini file looked like:

Now if date.timezone is set to an invalid timezone (one that does not exist) then it produces a 500 internal server error. However, Australia/Sydney is a valid timezone and should not result in that behaviour.

I then wrote a little script to see what timezones PHP was recognizing:

This resulted in the following output:

Note that Australia/Sydney is missing from the list. Finally I realised that the timezone file for Australia/Sydney was missing on the box (for some unknown reason).

I was using Centos 6.7 and needed to obtain and replace the missing Sydney timezone file so it was available here:

After making this change and restarting php and apache, the issue was solved!

 
No Comments

Posted in Server Management

 

Simple PHP File Download Script

18 Dec 2015

So I recently added a download.php script to my website so that I could force downloads of files instead of having users access them through an indexed directory or through their browser.

I found various scripts online but none of them were as clean as I’d have liked them to be so I wrote my own simple script after a bit of research.

In my setup, the download.php file sits at the root of my website and the filevault folder sites one level higher on the web server. This setup ensures users cannot hotlink to files or directly access them, the script must be used. A benefit of this is that you can add restrictions like allowing a file to be accessed by people from a particular country or by those who have a certain cookie set. If you do not have access to the directory above your websites root directory then you are forced into putting your filevault at the websites root directory.

This is the simple PHP File download script:

Usage

The following link would force the download of that_file.txt

 

Demo

You can also download the above script (using the script!):
Download download.php Script

 
8 Comments

Posted in Programming