-
Notifications
You must be signed in to change notification settings - Fork 1
Top Secret
The problem "Top Secret" had the following description:
We found a jabber log with this message:
Hey, this is Captain Crypto.
Yesterday I stumbled onto this top secret web page of my good friends from the cyber police. Like everything they do, it was pretty easy to crack open. From what I remember there was some poorly coded PHP looking similar to:
if (password in array("password1","password2",...))
{ grant_access; }
else
{ echo "wrong pw"; }
They just hardcoded some passwords there, and no hashing is involved. You should get in pretty fast.
BTW inside I left a very important message for you.
Cheers
Your Captain
Going to the web page in the description, I saw a password field.
I tried to guess a few passwords, but I got a "wrong password" message. I tried some basic SQL injection and command injection attacks, but I suspected the code snippet in the description had something to do with the flag. So, I searched online. Searching by "php", "in_array" and "exploit", I found the following web page with an interesting description concerning "php type juggling": https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/.
Reading through the description, it looked like I could trick the password check into returning true if I passed it a data type that it was not expecting. I needed to inspect what was being transferred to the server, so I started up Burp and proxied the requests to see what actually was being passed when I submitted a password.
POST /api.php HTTP/1.1
Host: challenges.ctfd.io:30019
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://challenges.ctfd.io:30019/
Content-Type: application/json
Content-Length: 19
Connection: close
{"password":"test"}
Looking at this, I could see that I was passing the value "test" as a JSON string argument to the password check. I thought about passing either a Boolean or an integer type to see what would happen. I figured out that if I passed the Boolean value true
or the integer value 0
, the password check would return true, and I could get the flag. Here are examples of the JSON requests that I sent using Burp's repeater function.
{"password":true}
{"password":0}
Interestingly, neither false
nor 1
worked when I tried them. In any case, the flag that was returned was...
mucctf{078ee708b5ed10eb4b5c7ab0b3b8c2194a448858}