# HackIM CTF 2015: Web400 Nullcon Pass Shop

In this 400 points problem we were asked to buy a Nullcon pass for free.

by opening the web page we were presented with the following scenario

and by clicking the buy button the following form was submitted

to buy a a pass for free we had to tamper the msg parameter to have the price = 0, but we can’t directly modify the value because its integrity is checked against the checksum value.

If we look at the source code of the page we see the following comment:

and this reminded me to a really similar problem i solved for picoCTF.

This was definitely a length extension attack against the checksum value, which can be performed because we are provided with the length of the secret key, which is 19 characters.

using hashpump it was possible to create the appropriate tampered token and the corresponding checksum

token: Nullcon2015|corporate|10999%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%01p|0
checksum: a2319d6945201a4b9fd67f077248faff2b735297cca2ac10762af65b2c2dca48


submitting them to the web server resulted in the flag being correctly retrieved: