When participating in DomeCTF I started off with Congo. The title said “The Matrix”, well as a kid I have enjoyed the movie and now I got a chance to enjoy the challenge. Purely going by its name, it became my first choice.
The link pointed to https://matrix.domectf.in
Seeing a website, I statred off with a two pronged approach.
Recon the website and recon the Server.
- Today a lot of sites hide themselves behind Cloudflare, pinging the webserver confirmed that this also was protected by cloudflare, hmmm that could be difficult. There was no point in running nmap on a cloudflare IP, since it is shared. That wont lead us anywhere.
- Then I did a TXT record search to look for any leaks there
- So basically this has to be a web challenge, OK then moving forward with the recon, I fired up two of my favorite programs, dirb and nikto. They come pre installed on any Kali distribution and have been great. Some would say that there are better programs out there than dirb, but when going against cloudflare, others tend to be blocked sooner. So dirb.
- Meanwhile, it was important to look at the links on the site itself, we have https://matrix.domectf.in/register.php on the main page, lets have a look at it too
- I tried looking at the JS on the site, but all things on the site were server side, no fun there.
The Backup Zip
- Let us look at the backup file we found on the site.
- Providing the source code, means we need to find a way to bypass the login seeing at the source. Al right, lets get to it
- So if we supply the correct username and password, we would get the flag.
- Further lets inspect the other files in the backup Zip
- The functions.php defines the various functions that are being used in both index.php and register.php
- The important part lies in the lines 43 + if a user registration is successful, we will see the username and the password. Lets inspect functions.php to understand the registration function return codes and other functionality.
- At the first glace itself, there seems something out of place in the registration function. The program converts the username to MD5 and the password to base64 then saves it to pws.dat. We only received a copy of the users.dat, which is enough for us as of now.
- users.dat contains a comma separated list. The first column being base64 encoded username, second column is base64 encoded email address and the last column is a boolean value 1/0 which tells if the user has been validated or not.
- If we had both users.dat and pws.dat, we would convert the base64 encoded usernames to clear, calculate the md5 hash to find a match in the pws.dat, convert the corresponding base64 encoded password and login using that. But alas a life of a hacker was so simple.
PHP Type Juggling
- PHP supports type juggling and there lies the vulnerability.
- A string which would look like a number would result in a True when checked using a == operator.
- It happens to be true for us also. So let us calculate the MD5 hashes of retrieved user names.
- Quick Python time
- We convert the usernames to their corresponding md5 hashes and check if any starts with 0e, since 0 to any power would always remain a 0
- We create a generate.py that looks for a hash that will generate a try juggled string. We will test upto 10 char string, beyond it, not feasible.
- The program continued to run, meanwhile, I searched on google for magic hashes and md5(240610708) => 0e462097431906509019562988736854, which is a number https://www.whitehatsec.com/blog/magic-hashes/
- We will try to create a user with a username 240610708 and a random password and try to obtain the password for user byGcY
Let’s Test if we were correct