On vous demande simplement de trouver le flag.

All we have to do is find the flag.

Index

Exploit

In the HTML we have the following message:

Pour les admins : si vous pouvez valider les changements que j’ai fait dans la page “check_secret.php”, le code est accessible sur le fichier “check_secret.txt”

It’s a message to the administrators, there was some modifications in check_secret.php. Let’s check this page:

<?php
	session_start();
	$_SESSION['dungeon_master'] = 0;
?>
<html>
<head>
	<title>Enter The Dungeon</title>
</head>
<body style="background-color:#3CB371;">
<center><h1>Enter The Dungeon</h1></center>
<?php
	echo '<div style="font-size:85%;color:purple">For security reason, secret check is disable !</div><br />';
	echo '<pre>'.chr(10);
	include('./ecsc.txt');
	echo chr(10).'</pre>';

	/ authentication is replaced by an impossible test
	/if(md5($_GET['secret']) == "a5de2c87ba651432365a5efd928ee8f2")
	if(md5($_GET['secret']) == $_GET['secret'])
	{
		$_SESSION['dungeon_master'] = 1;
		echo "Secret is correct, welcome Master ! You can now enter the dungeon";

	}
	else
	{
		echo "Wrong secret !";
	}
?>
</body></html>

So we have an “impossible” test, if we want to bypass it, we have to find a string that has the same value as its MD5 hash.

But there’s something quite interesting in the check part. It uses “==” and not “===”.

In PHP, the “==” operator checks if the values are equals and casts their types in order to perform that check, if we use “===” it will also compares their types.

Here’s an example to understand that:

magnussen@funcMyLife:~/Enterthedungeon$ php -a
php > var_dump(1 == "1");
bool(true)
php > var_dump(1 === "1");
bool(false)

This attack is known as Type Juggling, we’ll exploit the fact that PHP casts our input to bypass the check.

If we test an integer with a string that starts by 0e, PHP will converts our string into an integer and perform the comparison, but because it converts it to an integer the value of the string will be 0.

Let’s see that with an example:

magnussen@funcMyLife:~/Enterthedungeon$ php -a
php >  var_dump("0e11" == 0);
bool(true)

So we have to find a string that starts by 0e and give an MD5 hash that also starts with 0e, they’re called Magic Hashes. We can find some examples here.

So the string 0e1137126905 will give the MD5 hash: 0e291659922323405260514745084877. PHP will converts our two values to integers and they will be equal to 0.

Let’s try it!

Magic Hash Flag

Yeah! We have our flag!

This was a nice challenge, not very difficult but fun to do!

Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!