ROOTCON RECOVERY MODE — CTF Final: Web (Wizardry)

For this post, I will write our team’s solutions for the Web challenge — Wizardry. If you haven’t read yet my previous post on Forensics Challenge you may visit here:

https://medium.com/@fr4nc1stein/rootcon-recovery-mode-ctf-forensics-warm-up-660254c8d176

Let’s start.

Challenge Writeups

Category: Web

Challenge: Wizardry

Points: 300

The IP address above directed me to the PHP code below.

Analysis

Line 2 is the inclusion of file flag.phpbut we can't see the source code.

Line 5 to 7 is a GET request accepting 3 parameters magicword , bonusand round

Line 8 to 9 is a static value. (Shoutout to PWN DE MANILA)

First Condition:

The condition is a bit confusing at first. It indicates that thehash must equal to the md5 of get1which is from the magicwordparameter. It doesn’t make sense to me, so I have to check more about MD5 hash and by doing so I found a blog about Magic Hashes.

So, this is PHP loose comparison challenge, the vulnerability for this challenge comes into play when there is a loose comparison (==).

<?php

if (hash('md5','240610708',false) == '0') {

print "Matched.n";

}

if ('0e462097431906509019562988736854' == '0') {

print "Matched.n";

}

?>

I created a PHP script for the initial condition which contain the given hashvalue.

It returns TRUE!

But there is an obstacle on the next condition which is preg_match. Even I got the magic hashes for the equivalent of thehashvalue, I need to complete the preg_matchcondition which must include pwndemanilavalue.

My currentmagicword value doesn't work on thepreg_matchcondition. So we need to find a string, that when combined with the host, it returns “0e” + 30 digits because anything that starts with “0e”, followed strictly by only digits will return TRUE.

I use this basic python script:

To verify I get the md5 value of pwndemanilaffyjL

We got the string. I can now complete the PHP code.

Here’s the explanation for the code above:

Line 5 — $get1 md5 value and $hash value returns TRUE, even not match since it starts with 0e.

Line 7 — $get1 value contains a regular expression from $host value /pwndemanila/ which returns TRUE.

So it seems we have found a valid string

magicword=pwndemanilaffyjL

Second Condition:

Line 25 to 26 is easy, we just need the same value of get2and md5 of get3.Which are magic hashes that we already used in the example above.

bonus=0e462097431906509019562988736854

round=240610708

Combining all the GET parameter requests we’ll get:

http://45.32.113.117/?bonus=0e462097431906509019562988736854&round=240610708&magicword=pwndemanilaffyjL

Voila!!! We get the Flag! (I didn't get the screenshots from the web).

RC14{m4g1c4ndv1rus3s15ev3rywh3r3h4h4h4h4}

Conclusion:

In this challenge, we learn more about Magic hashes and PHP Type Juggling.

For Reference:

Magic Hashes: https://www.whitehatsec.com/blog/magic-hashes/

PHP Type Juggling: https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

Related Challenges: https://hackmd.io/@Chivato/rkj-Y1GVI#COMPARE-THE-PAIR

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al Francis

Al Francis

19 Followers

Co-Founder of Kalasag and Project Access Granted Society. A Certified Ethical Hacker,EC-Council Certified Incident Handler and Certified Blockchain Developer.