Login
Writeup for Login (Web) - Imaginary (2023) 💜
Description
A classic PHP login page, nothing special.
Recon
Try to login with admin:admin
and get Invalid username or password
.
View page source and find a comment.
Aight so let's check http://login.chal.imaginaryctf.org/?source
So the $flag
will be appended to the $password
if we provide the correct $magic
value as a GET parameter, e.g. http://login.chal.imaginaryctf.org/?aabbccdd11223344
As the $msg
indicates, logging in as the admin will not provide the flag. It will give us the $magic
value we need but we'll still need a way to recover the flag.
Solution
I go straight for sqlmap
, feeding the POST login request as a file.
We quickly find our vuln.
Let's exploit it to get the admin's password, then we can login and get the magic value! Start off finding the tables.
Now we can use --columns
to narrow it down further.
However, I decided to guess instead.
Guess we need pwhash
instead, then we can crack it.
Let's confirm the hash type.
We check the mode in hashcat and put the hashes into a file called "hash".
Time to crack (I have the rockyou.txt wordlist in an environment variable)!
It said it would take 2 days in my VM so I switched to windows (GPU), reduced time to ~10 hours.
Not likely to be intended lol. I guess we could half the time by only trying to crack the admin password. I ran SQLMap again and dumped the users; guest
and admin
.
Note, we can login as guest:guest
but just get Welcome guest! But there is no flag here :P
.
Maybe Password_verify() always return true with some hash
Nope, didn't work for me. Maybe SQL Injection with password_verify()
It looks good! According to this answer we can select a username, along with a "fake" password hash of our choice.
Took some trial and error but eventually:
So the full SQL statement on the backend will look like.
Essentially, it's grabbing the admin
user along with the guest
password hash (which we know translates to guest
). We login (username set to our SQLi payload and the password is guest
). Our magic
value is in the source!
Now we know that visiting http://login.chal.imaginaryctf.org/?688a35c685a7a654abc80f8e123ad9f0 will trigger the following code, appending the flag to the password.
Note: I didn't finish this challenge but let me finish the writeup for the sake of completion.
There's a recently closed github issue: password_hash documentation: Caution about bcrypt max password length of 72 should mention bytes instead of characters
Caution Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.
So, we can combine our first exploit (selecting any known password hash with SQLi) with the truncation vulnerability.
We submit the bcrypt hash of (71 * A) + flag_char
as the password, where flag_char
is looping through all printable ASCII chars.
If the login is successful, we've cracked that character of the flag and we can now do (70 * A) + flag_char
, until we have the full flag.
Doing so would recover our flag.
Flag: ictf{why_are_bcrypt_truncating_my_passwords?!}
Apparently, this was covered in a recent video from IppSec. There's a solve script included with f0rk3b0mb's writeup 💜
Last updated