The Swappage Playground

Because in the end, what does matter is having fun.

HackIM CTF 2015: Web400 Nullcon Pass Shop

In this 400 points problem we were asked to buy a Nullcon pass for free.

by opening the web page we were presented with the following scenario

and by clicking the buy button the following form was submitted

1
2
3
4
5
6
     <form action=checkout.php method=POST>
     <input type=hidden name=msg value="Nullcon2015%7Ccorporate%7C10999"><br>
     <input type=hidden name=checksum value="568fe78b29ac377a58ae1fbf02b4d1a158e605b3897916227e4b3ecfc78973db"><br>

	<input type=submit value=Buy>
 </form>

to buy a a pass for free we had to tamper the msg parameter to have the price = 0, but we can’t directly modify the value because its integrity is checked against the checksum value.

If we look at the source code of the page we see the following comment:

1
2
3
4
5
6
7
8
9
10
   <!-- 
        
        
    if( $checksum === hash("sha256",$secretkey . $msg))   // secretkey is XXXXXXXXXXXXXXXXXXX    :-P
    {
      // Success; :)
    }
   
  ?> 
   -->

and this reminded me to a really similar problem i solved for picoCTF.

This was definitely a length extension attack against the checksum value, which can be performed because we are provided with the length of the secret key, which is 19 characters.

using hashpump it was possible to create the appropriate tampered token and the corresponding checksum

token: Nullcon2015|corporate|10999%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01p|0
checksum: a2319d6945201a4b9fd67f077248faff2b735297cca2ac10762af65b2c2dca48

submitting them to the web server resulted in the flag being correctly retrieved:

1
2
3
4
5
6
7
8
9
10
11
HTTP/1.1 200 OK
Date: Fri, 09 Jan 2015 21:08:38 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Vary: Accept-Encoding
Content-Length: 114
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<h1> Checkout </h1>Congratualtion You bought Nullcon Pass in ZERO rupee. See you at Nullcon!Flag is fl@g_*2o15}

Comments