raziCTF 2020 : Baby Web 01

Oct 26, 2020


Challenge Description

Someone wrote the perfect authentication system but its only weakness is that the previous password must be stored in the file.


Solution

For this chalange we where given url with a hosted php code

<?php
    $prev_pass = "66842480683974257935677681585401189190148531340690145540123461534603155084209704";
    if(isset($_GET["password"])){
        if(mb_strlen($_GET["password"], 'utf8') < strlen($prev_pass)){
            if(strlen($_GET["password"]) > mb_strlen($prev_pass, 'utf8')){
                $input_h = password_hash($_GET["password"], PASSWORD_BCRYPT);
                if(password_verify($prev_pass, $input_h)){
                    echo exec("cat flag.txt");
                    die();
                }else{
                    echo "Are you trying to hack me?!";
                    die();
                }
            }else{
                echo "Nope";
                die();
            }
        }else{
            echo ":/";
            die();
        }
    }else{
        highlight_file(__FILE__);
        die();
    }
?>

Ok lets break it down.

Reading the source code, we can see that the server is :

The problem here reside in the 2nd and 3d condition, As we know mb_strlen() return the number of characters, on the other hand strlen() return the number of bytes, we can abuse this and provide a password that is smaller in character numbers and greater when it comes to bytes.

We simply take the last character or two on the previous password wich is 4 and convert it into a non readable UTF-32 hex value :
66842480683974257935677681585401189190148531340690145540123461534603155084209704
04 -> -> 668424806839742579356776815854011891901485313406901455401234615346031550842097�

Now our password is 79 character lenght and 81 bytes.

http://smerdis.razictf.ir/babyweb1/?password=668424806839742579356776815854011891901485313406901455401234615346031550842097�

Flag : RaziCTF{w3ll_d0nE_go_0n_to_THE_n3xT_OnE}



back to raziCTF 2020

back to main