Skip to content

Top Secret

Jenn Janesko edited this page Apr 2, 2019 · 5 revisions

The problem "Top Secret" had the following description:


We found a jabber log with this message:

Hey, this is Captain Crypto.

Yesterday I stumbled onto this top secret web page of my good friends from the cyber police. Like everything they do, it was pretty easy to crack open. From what I remember there was some poorly coded PHP looking similar to:

if (password in array("password1","password2",...))
{ grant_access; }
else
{ echo "wrong pw"; }


They just hardcoded some passwords there, and no hashing is involved. You should get in pretty fast.

BTW inside I left a very important message for you.

Cheers
Your Captain

Going to the web page in the description, I saw a password field.

I tried to guess a few passwords, but I got a "wrong password" message. I tried some basic SQL injection and command injection attacks, but I suspected the code snippet in the description had something to do with the flag. So, I searched online. Searching by "php", "in_array" and "exploit", I found the following web page with an interesting description concerning "php type juggling": https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/.

Reading through the description, it looked like I could trick the password check into returning true if I passed it a data type that it was not expecting. I needed to inspect what was being transferred to the server, so I started up Burp and proxied the requests to see what actually was being passed when I submitted a password.

POST /api.php HTTP/1.1

Host: challenges.ctfd.io:30019

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://challenges.ctfd.io:30019/

Content-Type: application/json

Content-Length: 19

Connection: close

{"password":"test"}

Looking at this, I could see that I was passing the value "test" as a JSON string argument to the password check. I thought about passing either a Boolean or an integer type to see what would happen. I figured out that if I passed the Boolean value true or the integer value 0, the password check would return true, and I could get the flag. Here are examples of the JSON requests that I sent using Burp's repeater function.

{"password":true}

{"password":0}

Interestingly, neither false nor 1 worked when I tried them. In any case, the flag that was returned was...

mucctf{078ee708b5ed10eb4b5c7ab0b3b8c2194a448858}

You can’t perform that action at this time.