csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
19 July 2020

Warm Up

by INXS_JOY

If you know, you know; otherwise you might waste a lot of time.

http://chall.csivit.com:30272

Solution

`<?php  
  
if (isset($_GET['hash'])) {  
if ($_GET['hash'] === "10932435112") {  
die('Not so easy mate.');  
}  
  
$hash = sha1($_GET['hash']);  
$target = sha1(10932435112);  
if($hash == $target) {  
include('flag.php');  
print $flag;  
} else {  
print "csictf{loser}";  
}  
} else {  
show_source(__FILE__);  
}  
  
?>`

This PHP code was provided when the above link is visited. PHP’s == is notoriously know for type juggling. You can learn more about the vulnerability here.

The baseline is that, == operator in PHP converts strings which look like a number to a number before comparing.

So, sha(10932435112) gives 0e07766915004133176347055865026311692244, which in integer terms is 0*10^07766915004133176347055865026311692244. We know that == converts anything which looks like integer, so 0^anthing is zero. Now this value is getting compared to the $hash variable which is the sha1($hash which we send).

So we need to find a string whose sha1() produces a hash starting with 0e`

I just googled “sha1 hash starting with 0e”. I used this link, and took the first string aaroZmOk. Sending this data, we get the flag. http://chall.csivit.com:30272/?hash=aaroZmOk

Flag

csictf{typ3_juggl1ng_1n_php}
tags: Web