IceCTF - 50 - Flag Storage - Web

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

Solution

  1. Look at the source code:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    <script>
    $(function(){
    var updatePassword = function(e){
    // hash client side for better security, never leak the pw over the wire
    var sha = new jsSHA("SHA-256", "TEXT");
    sha.update($(this).val());
    $("#password").val(sha.getHash("HEX"));
    };
    $("#password_plain").on("change", updatePassword);
    $("#form").on("submit", updatePassword);
    });
    </script>

  2. Script will send our password hashed on the network instead of plain text.

  3. Login with random credentials.

  4. Open your browser network analyser and see the POST params: username and password_plain that you filled + password containing e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.

  5. e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is the SHA256 hash of the null string according to this or if you try with https://crackstation.net/.

  6. Description of the challenge tell us it's an SQLi so may be we need to inject username and let password_plain null so our hashed password will correspond to the hash we found.

  7. Try a classic username: ' OR 1=1 # and null password instead of random password.

  8. We get the flag: IceCTF{why_would_you_even_do_anything_client_side}.

Share