IceCTF - 50 - Flag Storage - Web

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

Solution

  1. Look at the source code:
1
2
3
4
5
6
7
8
9
10
11
12
<script>
$(function(){
var updatePassword = function(e){
// hash client side for better security, never leak the pw over the wire
var sha = new jsSHA("SHA-256", "TEXT");
sha.update($(this).val());
$("#password").val(sha.getHash("HEX"));
};
$("#password_plain").on("change", updatePassword);
$("#form").on("submit", updatePassword);
});
</script>
  1. Script will send our password hashed on the network instead of plain text.
  2. Login with random credentials.
  3. Open your browser network analyser and see the POST params: username and password_plain that you filled + password containing e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
  4. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is the SHA256 hash of the null string according to this or if you try with https://crackstation.net/.
  5. Description of the challenge tell us it's an SQLi so may be we need to inject username and let password_plain null so our hashed password will correspond to the hash we found.
  6. Try a classic username: ' OR 1=1 # and null password instead of random password.
  7. We get the flag: IceCTF{why_would_you_even_do_anything_client_side}.
Share