Merge tag 'pull-duso-metasploit-writeups' of https://github.com/Dusoleil/lib-des-gnux

Dusoleil's Writeups for the Metasploit Community CTF 2020

* tag 'pull-duso-metasploit-writeups' of https://github.com/Dusoleil/lib-des-gnux:
  Dusoleil's Writeups from Metasploit Community CTF 2020

1 files changed, 11 insertions, 0 deletions

diff --git a/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
new file mode 100644
index 0000000..bddc5fa
--- /dev/null
+++ b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
@@ -0,0 +1,11 @@
+PORT 8092
+
+another web server which gives us a login page and the php source code for the login page.  The password we give is hashed with a secret salt and compared to a hash that we provide.  If we can guess the salted hash for a given password, we get the flag.
+
+Obviously we aren't going to just guess a salted hash.  At first, I thought this would require us to brute force the salt's hash with an empty password, but this will be way too slow considering the alphabet size, a default 22 character salt, and cost=12 option used in the php.
+
+Then I noticed that the hash was being compared with "==" instead of "===".  php's "fuzzy equality" check does some interesting things (docs/lang/php/loose_comparison.png).
+
+I tried a couple things, but what I got working was to give an array as the password which will cause the password_hash function to return false.  This compared with a null string passed as the hash will actually equal true.
+
+curl target/login.php --data "password[]=&hash="