Last week, I participated in LASACTF, a national high school CTF competition. Unfortunately, the competition ended half a week earlier than it should have because a hacker released the flags for all the problems. I was on team Second Semester Seniors, and we placed first.
Since I’ll inevitably be doing more CTFs in the future, I figured that I should put problem writeups on my blog. So, here goes. I chose to cover this problem because I thought it was a nice little web exploitation problem, and web exploitation is one of my few strong suits.
Category: Web Exploitation
Description: Make an Espresso.
Looking at the source code of the page, it was evident that the SHA-1 authentication hash is calculated by appending ‘
/brew.php?type=[type]‘ to the 15 character password. Since the hash used the full path instead of just the type parameter, it implied to us that we could use a URL that wasn’t in the simple ‘
?type=[type]&auth=[hash]‘ format as long as the hash was valid. Noting that
brew.php is a PHP script, and that when a PHP script is provided multiple GET parameters with the same key it accepts the last one (
/brew.php?type=latte&type=espresso simply sets the parameter type to espresso, and this is our goal), it became evident that a hash length extension attack was the way to go. Explaining the technical details behind the attack is beyond the scope of this writeup, but since the length of the secret key was provided (15), we were given the appended data (
/brew.php?type=latte), and all we needed was a SHA-1 hash for the string with additional data appended, the conditions perfectly matched what is needed for the attack. There are a few different programs out there that can execute hash length extension attacks, but I have never had any problems with HashPump, and used it to calculate the new hash for the string with an ‘&type=espresso’ appended, and percent-encoded the new padded string (padded mostly with
/x00, which were subsequently replaced with
%00) to make it web-friendly. Using that new ‘
/brew.php?type=latte[padding]&type=espresso‘ url, I appended a ‘
&auth=[my generated hash]‘, and voila! An espresso was made.
The source code for the problem is available here.