contact

T-Jungle

Challenge Information

  • Category: Web Security

  • Level: easy

  • Points: 100

description

Try to bypass my conditions ;)

Solution

let's start, after you open the target you see the block of code and your mission is bypass it and get the flag right ??? ,

first I'll explain this block of code and how it work , well let's break down the code . 

<?php
highlight_file(__FILE__); #This line displays the source code of the current PHP script in the browser

include 'flag.php'; #This includes another PHP file called flag.php

if (isset($_GET['passwd'])) #checks if a GET parameter passwd is provided in the URL

 if (hash("md5", $_GET['passwd']) == '0e514198421367523082276382979135') # hashes the provided password using the MD5 algorithm and compares it with a hardcoded hash.

 echo '<html><head><link href="style.css" rel="stylesheet"></head><body>
        <div class="flash" style="text-align:center;margin-top:10%">ACCESS GRANTED : '.$flag.'</div></body></html>'; #If the password is correct  print ACCESS GRANTED : value (flag)
        
else {
        echo '<html><head><link href="style.css" rel="stylesheet"></head><body>
        <div class="flash" style="text-align:center; margin-top:10%">ACCESS DENIED</div></body></html>'; #if the condition is false print  ACCESS GRANTED

well, you now know the functionality of this block of code, and it's vulnerable with PHP Type Juggling what is PHP Type Juggling ?? well, PHP treats numeric-looking strings (like 0e...) as numbers in comparisons, If a password hashes to a value like 0e123456..., PHP interprets it as 0 * 10^123456 = 0,so, any password that results in an MD5 hash of 0e... will bypass authentication.

all of this because (==) it should be (===) , so to bypass this page without pass we type and password it's hash start 0e like 240610708 or QNKCDZO , okay and we know from above we have Get parameter called paswd so in url field we type for example (example.com/?passwd=value ) for our case:

target/?passwd=240610708 #it's hash start with 0e
or 
target/?passwd=QNKCDZO #it's hash start with 0e

now type it and got the flag

PreviousSonic go brrrNextThe Restricted Sessions

Last updated