DomeCTF XII Writeup : The Matrix

Parinay Bansal
Sep 29, 2019 · 4 min read

TEAM ARDUS

It Begins…

Image for post
Image for post
DOMECTF COCON XII

When participating in DomeCTF I started off with Congo. The title said “The Matrix”, well as a kid I have enjoyed the movie and now I got a chance to enjoy the challenge. Purely going by its name, it became my first choice.

Image for post
Image for post
The problem Statement

The link pointed to https://matrix.domectf.in

Image for post
Image for post
The login Page

Seeing a website, I statred off with a two pronged approach.

Recon the website and recon the Server.

Recon

  • Today a lot of sites hide themselves behind Cloudflare, pinging the webserver confirmed that this also was protected by cloudflare, hmmm that could be difficult. There was no point in running nmap on a cloudflare IP, since it is shared. That wont lead us anywhere.
Image for post
Image for post
The ping to website. Ip belongs to Cloudflare.
  • Then I did a TXT record search to look for any leaks there
Image for post
Image for post
Nothing in there either
  • So basically this has to be a web challenge, OK then moving forward with the recon, I fired up two of my favorite programs, dirb and nikto. They come pre installed on any Kali distribution and have been great. Some would say that there are better programs out there than dirb, but when going against cloudflare, others tend to be blocked sooner. So dirb.
Image for post
Image for post
dirb finds the backup directory
Image for post
Image for post
As expected, backup has a directory listing
Image for post
Image for post
Registration Page
Image for post
Image for post
The registration page shows my username and password. Could there be some XSS?
  • I tried looking at the JS on the site, but all things on the site were server side, no fun there.

The Backup Zip

  • Let us look at the backup file we found on the site.
Image for post
Image for post
It looks like we found the source Code
  • Providing the source code, means we need to find a way to bypass the login seeing at the source. Al right, lets get to it

Source Code

index.php
  • So if we supply the correct username and password, we would get the flag.
  • Further lets inspect the other files in the backup Zip
  • The functions.php defines the various functions that are being used in both index.php and register.php
register.php
  • The important part lies in the lines 43 + if a user registration is successful, we will see the username and the password. Lets inspect functions.php to understand the registration function return codes and other functionality.
functions.php
users.dat
  • At the first glace itself, there seems something out of place in the registration function. The program converts the username to MD5 and the password to base64 then saves it to pws.dat. We only received a copy of the users.dat, which is enough for us as of now.
  • users.dat contains a comma separated list. The first column being base64 encoded username, second column is base64 encoded email address and the last column is a boolean value 1/0 which tells if the user has been validated or not.
This is how our pws.dat would look on the server
  • If we had both users.dat and pws.dat, we would convert the base64 encoded usernames to clear, calculate the md5 hash to find a match in the pws.dat, convert the corresponding base64 encoded password and login using that. But alas a life of a hacker was so simple.

PHP Type Juggling

OWASP Day presentation on PHP magic tricks
  • PHP supports type juggling and there lies the vulnerability.
  • A string which would look like a number would result in a True when checked using a == operator.
  • It happens to be true for us also. So let us calculate the MD5 hashes of retrieved user names.
  • Quick Python time
convert.py
  • We convert the usernames to their corresponding md5 hashes and check if any starts with 0e, since 0 to any power would always remain a 0
converted users.dat
  • We create a generate.py that looks for a hash that will generate a try juggled string. We will test upto 10 char string, beyond it, not feasible.
generate.py

Flag Time

  • We will try to create a user with a username 240610708 and a random password and try to obtain the password for user byGcY
Image for post
Image for post
We have the password for user byGcY

Let’s Test if we were correct

Image for post
Image for post
Flag Found

Happy Hacking Guys………………

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Parinay Bansal

Written by

Entrepreneur, father of a Daughter and a Dog. security analyst, Red Teamer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Parinay Bansal

Written by

Entrepreneur, father of a Daughter and a Dog. security analyst, Red Teamer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store