This challenge was a web challenge. A PHP code to inspect and to tell what’s the problem with it and then exploit the weakness in the servers running this application.
At first, I tried to take a look at the input which is controlled by the user. This is where we can manipulate and send some crafted input. Unfortunately, we cannot alter the execution flow except by entering another username as the admin username which is provided. And happily, the password is also provided so we just have to to find the same input to match the admin password. Well no, not this time.
The interesting part of the function or code is the else part which gets executed (as stated before) when the username is not equal to the provided. The key to the solution is the generate password(time()) and the crypt function.
Crypt()
It requires a text which gets encrypted and a cipher defined by the digit in the middle of the dollars ($6$). Next, the function requires the rounds of how often it will get executed followed by the seed.
After that, it prepends and appends the information about the encryption to the solution so it can be decrypted later without having a fixed cipher.
Generate password
The generated password takes a variable as a password and crypts the password with the corresponding cipher and rounds. In this case, it is time!
Solution
If you know think about what happens now is that the current time will get encrypted with THE SAME salt as before since the salt and cipher information is stored in the encrypted string and will be used upon decryption. So the only thing we have to do is to provide the correct server time and we get access. Since mine or the server time can be a bit laggy and out of sync we just brute force it with an increasing the current time combined with an increasing number.
For that, I used a python plugin for BURP Suite to generate the current time and the intruder to iterate over a number.
Weitere Posts zum Thema Web-Security und Penetration-Testing
CRY100 – Decrypt this text
This challenges is about decrypting the text inside a file. At first, it does not pretty good. Most characters are not printable or just jibberish.Sadly I can’t remember correctly what the description said (have to write it down next time) but I guess something about the text is XOR’d and the key has to be…
Untersuchung der Kommunikation der App UniNow
Die Kommunikation der App UniNow wurde von Patrick Eisenschmidt auf personenbezogenen / datenschutzrelevante Daten geprüft. Dein ganzes Studium immer dabei. Mit UniNow hast du alle wichtigen Informationen rund um dein Studium in nur einer App! Egal ob Noten, deine Mails oder deinen Stundenplan – du hast alles immer und überall dabei! Inhaltsverzeichnis Dokumentenversion 1. Einführung…
WEB100 – XXE Denial of Service
This challenge was the usual XXE attack called entity injection with the goal to crash the server. This reminded me of the old but good billion laughs attack. With this attack, your recursive include entities which include further entities to overload the RAM of the XML parser and crash the program.To execute the attack we…
WEB200 – The rocket clock
This challenge was a web challenge. A PHP code to inspect and to tell what’s the problem with it and then exploit the weakness in the servers running this application. At first, I tried to take a look at the input which is controlled by the user. This is where we can manipulate and send…
MSC100 – Base32
MSC100 – Base32 This one was harder for me. Made some bad mistakes at the beginning which really left me clueless. The description was that someone encrypted text with base32 but did something wrong. So I tried to decrypt it with some online decoders but they all went crazy because of characters which are not…
Penetration Test Report ISIS12
Dieser Penetration Test wurde durchgeführt von Patrick Eisenschmidt. Inhaltsverzeichnis Timeline Dokumentenversion 1. Einführung 2. Technische Umgebung und Randbedingungen 3. Kategorisierung der Schwachstellen 4. Findings 4.1. XSS (Cross Site Scripting) 4.2. Benutzung eines schwachen Algorithmus zur Berechnung von Kennwort-Hashes Timeline Zeit Beschreibung 08.01.2019 Bericht an den Ansprechpartner der Hochschule gesendet 09.01.2019 Bericht wurde an den Hersteller…
NET100 – Perfect hit
This was a quite easy but fun challenge.It’s about extracting data from a pcap file with SIP communication captured. If we take a look at the .pcap we see some SIP communication which can be easily inspected via the setting “Telephonie” in Wireshark. With that, we can see that there are two calls and one…