Warm Up
by INXS_JOY
If you know, you know; otherwise you might waste a lot of time.
Solution
`<?php
if (isset($_GET['hash'])) {
if ($_GET['hash'] === "10932435112") {
die('Not so easy mate.');
}
$hash = sha1($_GET['hash']);
$target = sha1(10932435112);
if($hash == $target) {
include('flag.php');
print $flag;
} else {
print "csictf{loser}";
}
} else {
show_source(__FILE__);
}
?>`
This PHP code was provided when the above link is visited. PHP’s == is notoriously know for type juggling. You can learn more about the vulnerability here.
The baseline is that, == operator in PHP converts strings which look like a number to a number before comparing.
So, sha(10932435112) gives 0e07766915004133176347055865026311692244
, which in integer terms is 0*10^07766915004133176347055865026311692244. We know that == converts anything which looks like integer, so 0^anthing is zero. Now this value is getting compared to the $hash variable which is the sha1($hash which we send).
So we need to find a string whose sha1() produces a hash starting with 0e`
I just googled “sha1 hash starting with 0e”. I used this link, and took the first string aaroZmOk
. Sending this data, we get the flag.
http://chall.csivit.com:30272/?hash=aaroZmOk
Flag
csictf{typ3_juggl1ng_1n_php}