CTF Challenge by SayCure solution
CTF Solutions Hacking and Infosec Write-ups

CTF Challenge Solution Organized by SayCure

Hi there, again I am here to present the solution to another recently organized CTF Challenge. This challenge was also organized by SayCure org. Hope you find it helpful for future CTF encounters. So let’s get started.

Introduction to CTF Challenge:

To know about “what is CTF”, who are SayCure or want to know about my last write up, please visit this page.

Getting Started:

This CTF Challenge was in the Second round of Challenges. Like before I still didn’t know a lot about CTFs. But still, I got a little idea by searching through Google for the solution of challenges. The Challenge I participated this time, sent me to the old IP Address where I found the first flag but not to the main page, it was “md5.php”.

Screenshot of CTF
Screenshot of CTF

Understanding the CTF:

It’s easy to Understand the code given in the screenshot above even for a PHP beginner that what this code is doing and what it wants. But still, let me explain it.

The given PHP code is asking for a “GET” request from the user and encoding it to an md5 hash using PHP function md5(), then it compares this hash with “0e110983” if true echo the flag. Here, by looking into the condition of “if” statement it seems invalid. Obviously, how can a “32 digit” string equals to “8 digits” string.

Searching on the Internet, I found that it is a vulnerability in PHP “equals-equals (==) operator“. This has a particular implication for password hashes. Password hashes in PHP are base16 encoded and can come in the form of “0e812389…”. The problem is in == comparison the 0e means that if the following characters are all digits the whole string gets treated as a float. So what I did is picked the string of md5() hash string from the table in the last image and WEW it worked out.

Screenshot of Flag
Screenshot of Flag

the below list of hash types was pointed out five years ago by Gregor Kopf. Then two years ago by Tyler Borland and Raz0r. And again a year ago by Michal Spacek and Jos Wetzels but this technique is making more waves this past week.

Note: some lines and below images are picked out from White Hat Security website.

List of Magic Hashes

Ending:

Hope you liked the article, Follow me up for more upcoming articles about CTF challenges.

Ijaz Ur Rahim
Just a Newbie with some Random Penetrating and Programming Skills.
https://github.com/MrDebugger

Leave a Reply