Write-Up Advent of CTF 2020 Challenge 14
Overview
The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020.
The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com
.
Challenge 14
- Description: We are testing a new 2 factor security system for Santa’s deepest secrets. It should be pretty secure!
- 1400 Points
This challenge was a difficult one for me. I needed some time to solve this one. Let’s start this challenge, and I will show you how I’ve resolved this one. Let’s visit the challenge webpage. The webpage is only showing a PHP-code snippet and a textbox to fill in a password
and a verifier
.
The code snippet. I’ve added some comments, to explain this code a little bit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
?php
ini_set('display_errors', 0);
include("flag.php");
// Validating the posted password and verifier
if (isset($_POST["password"], $_POST["verifier"])) {
$password = $_POST["password"];
$verifier = $_POST["verifier"];
// The password and secret salt are encoded to Base64
$hash = sha1($password + $secret_salt);
// The first 7 characters of the sha1 will be the verifier
$reference = substr($hash, 0, 7);
// If the verifier and reference are equal (strict comparison!) then the flag will be shown
if ($verifier === $reference) {
echo $flag;
die();
}
}
header("Location: /index.php?error=That was not right.");
exit();
?>
We are managing the password. But, the salt is unknown to us. From the CTF creator, we have received the hint that the secret_salt
is a number, an integer. That’s not the only hint we received, we also receive the hint to use this webpage to get to the solution: https://www.php.net/manual/en/language.types.float.php.
Well, I go directly to the solution with some explanation. I’ve tried many variations to crack the salt, but I was not able to crack the salt. This is also not a guessing game. After reading much information, it becomes clear that PHP with floating numbers has its limits.
I used this PHP sandbox, to play around with the floating numbers. Before I proceed, let’s take a deep dive into PHP Floating numbers. If you already familiar with floating numbers in PHP, you can directly jump to the solution.
Floating points numbers in PHP
What does this mean? Well, it’s just a fancy way of saying a number that has decimal places. But, it has its limits. A floating number in PHP has a maximum float value. When the float value is above the defined PHP_FLOAT_MAX
, it will be considered infinity. So, if we are doing a math calculation, with floating-point numbers, and the result is above the PHP_FLOAT_MAX
value, it will return with INF
.
Solution
We try to go above the PHP_FLOAT_MAX
value, to get a returning value of INF
. As the password will be added to the salt, the returning value of INF
, applies to the password as well as the salt, making the verifier and the reference equal. So, I have tested my payload with the PHP sandbox, and this payload will returning an INF
value. The first value in this mathematical calculation should be considered as the password.
1
2
3
4
<?php
print "1.e1234" + "11111"
?>
INF
I can hash the value of INF
to SHA1
, and put the first seven characters as the verifier. So, I hashed this value with hashes.com to SHA1, and it’s resulting in this hash:
55c1943f65c7c105ae98e6703cd64127b6585656
I can take the first 7 characters to the verifier field and the password 1.e1234
as the password and click ‘Submit’. And, the flag is returning! The flag: NOVI{typ3_juggl1ng_f0r_l1fe}
.
Thanks for reading!