From 452ba0102dcc2674fa1323143c4849c628c7603d Mon Sep 17 00:00:00 2001 From: dusoleil Date: Thu, 5 Aug 2021 02:19:42 -0400 Subject: Dusoleil's Writeups from Metasploit Community CTF 2020 Signed-off-by: dusoleil --- docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt (limited to 'docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt') diff --git a/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt new file mode 100644 index 0000000..bddc5fa --- /dev/null +++ b/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt @@ -0,0 +1,11 @@ +PORT 8092 + +another web server which gives us a login page and the php source code for the login page. The password we give is hashed with a secret salt and compared to a hash that we provide. If we can guess the salted hash for a given password, we get the flag. + +Obviously we aren't going to just guess a salted hash. At first, I thought this would require us to brute force the salt's hash with an empty password, but this will be way too slow considering the alphabet size, a default 22 character salt, and cost=12 option used in the php. + +Then I noticed that the hash was being compared with "==" instead of "===". php's "fuzzy equality" check does some interesting things (docs/lang/php/loose_comparison.png). + +I tried a couple things, but what I got working was to give an array as the password which will cause the password_hash function to return false. This compared with a null string passed as the hash will actually equal true. + +curl target/login.php --data "password[]=&hash=" -- cgit v1.2.3