➜ ~
Playing Hacks and Stuffs!
Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham
Dubai Police CTF '23
Professional Category
Description: This was a fun ctf I partook in and I played as NeroHero . My intension was just solving only pwn but I ended up solving all web + pwn and few others.
Web Exploitation
Lazy Devs:
We’re given the url to access
Heading over to it shows a page talking about API
There’s nothing in source page
So i headed over to ffuf to fuzz for directories
We have a directory /src going over there shows the api source code which is written in php
And here’s what it does:
1. It checks if the http request method is POST
2. If the check is right it then sha1sum the value of the auth cookie and compares it with `0e666`
3. In the same POST request, it checks for the value of the query parameter and unserializes it
4. But if the check is failed that is the request used to query the site uses GET it just echo this is an api.....
Looking at the source code we see that there are two security vulnerabilities there, which are:
1. Insecure Deserialization
2. PHP Hash Collision
Why the php hash collision appears is because it uses == where the operation is fall short in php type comparison
And we know that theres insecure deserialization because of the usage of __wakeup() when an object is unserialized.
So now to first exploit the deserialization i need to generate a payload which will take abuse of __wakeup()
Here’s my payload
Running it generates the base64 encoded payload
Now that we have the payload we need to bypass the check that compares the user auth cookie with 0e666
Checking JH github
I got some values to use
So here’s my final exploit to run arbitary commands Exploit
Running the script gives command execution
Since the flag is in the environment variable lets get it
Flag: Flag{QIsRpGWpa_ZEsdXdLwLsv5D9xoYOfnQsJ9KSyYE6wDAvgFnK6-F4A62jriM3IUreQh2sEOd-DDJaDmnmER0tvJp8M9-Pm4ye6tI}
I don’t have access to the server again cause the ctf is over
But at the end of the ctf here’s the scoreboard
