# WINJA CTF 2021 - CTF-Community ## MD20 We start the challenge with the following description: ``` Going nuclear with master password Nuclear committee is suspicious about their codes getting leaked but 1o1 1o1 they forgot the master password to reset. https://GK8nWTGHy4rQ8FrEGmCB.winjasmartcity.xyz ``` Ok, let's go to: https://GK8nWTGHy4rQ8FrEGmCB.winjasmartcity.xyz The following description is provided as well as the link to the challenge: ``` Hello there ,Does hashing a nuclear code 10 times make it strong ? (I've heard so). But the code is VERY Small in length.. I mean really V E R Y short in length. ``` So, we understood that we need to crack a hash that have been applied 10 times on a the "nuclear code", and that the plaintext code is VERY short. Let's check the challenge : https://gk8nwtghy4rq8fregmcb.winjasmartcity.xyz/challenge.php We got the following php challenge which include a MD5 hashing function: ``` <?php error_reporting(1); if(strpos($_SERVER['REQUEST_URI'],"_") !== false || strpos($_SERVER['REQUEST_URI'],"%") !== false) die("Noupp!! Forbidden"); function check(){ if(md5($GLOBALS['input'])=="2eb18a9aec0ad526b0e880a30ef952f4") { $flag=file_get_contents("flag.txt"); echo($flag); } else { echo("Wrong! <br>"); } } if(isset($_GET["_"])) { $input = $_GET['_']; check(); } highlight_file(__FILE__); ?> ``` Ok, here the PHP paradox, it is forbidden to use '_' and '%' ``` if(strpos($_SERVER['REQUEST_URI'],"_") !== false || strpos($_SERVER['REQUEST_URI'],"%") !== false) die("Noupp!! Forbidden"); ``` whereas we need to use the '_' symbol due to ``` if(isset($_GET["_"])) { $input = $_GET['_']; check(); } ``` Then, next step is to crack the md5 hash: ``` function check(){ if(md5($GLOBALS['input'])=="2eb18a9aec0ad526b0e880a30ef952f4") { $flag=file_get_contents("flag.txt"); echo($flag); } ``` ### PHP Paradox A quick researck on google indicates: --- http://nl1.php.net/manual/en/language.variables.external.php#language.variables.external.dot-in-names Typically, PHP does not alter the names of variables when they are passed into a script. However, it should be noted that the dot (period, full stop) is not a valid character in a PHP variable name. For the reason, look at it: ``` <?php $varname.ext; /* invalid variable name */ ?> ``` Now, what the parser sees is a variable named $varname, followed by the string concatenation operator, followed by the barestring (i.e. unquoted string which doesn't match any known key or reserved words) 'ext'. Obviously, this doesn't have the intended result. **For this reason, it is important to note that PHP will automatically replace any dots in incoming variable names with underscores.** --- Ok, so the url parameter shall be https://gk8nwtghy4rq8fregmcb.winjasmartcity.xyz/challenge.php?.=step_2_crack_md5_hash ### MD5 Cracking Based on the description, the following code do the job: ``` import hashlib import string from pwnlib.util.iters import bruteforce def md_n(pt,target,n,show=0): for i in range(n): pt=hashlib.md5(pt.encode()).hexdigest() if show==1: print(pt) return pt == target n=10 target = "2eb18a9aec0ad526b0e880a30ef952f4" code=bruteforce(lambda x : md_n(x,target,n),string.ascii_letters,5) print("=========") print("Code : "+code) print("=========") md_n(code,"",10,1) ``` The output is: ``` ========= Code : t ========= e358efa489f58062f10dd7316b65649e b5d2099e49bdb07b8176dff5e23b3c14 0cd1aaae2fd9b84918ff731d313c6e4c 95405cd7663ad16b4bc9a8ef0981474d c86dc9138c4e24804c667205b91511e1 0d9b9b1022ff0935141d50b87a00326a f6ee6c1b4df51af0e6a48e0096f5dafa ce18f5053b09e2b5dd27869059789de4 e6dbdd9d770af334d8aebe102b1fc035 2eb18a9aec0ad526b0e880a30ef952f4 ``` So we have **md5("e6dbdd9d770af334d8aebe102b1fc03") == "2eb18a9aec0ad526b0e880a30ef952f4"** Exactly what we need for the challenge, let's check: https://gk8nwtghy4rq8fregmcb.winjasmartcity.xyz/challenge.php?.=e6dbdd9d770af334d8aebe102b1fc035 Gives the flag: **flag{md20_acc3ss_c0ntr0l_is_3veryth1ng}** ## Crucial First Aid Description --- I wanted to send this file to Clinical Staff but I did not want anyone else to see what's inside it, so I protected it with a pin. https://ygaD7crHj7NnTh6uxNs8.winjasmartcity.xyz/imp_patient_data.zip --- So we download the challenge's file, With a home made python script, we found the pin code to be **2611** Basically, strings command and grep: ``` strings patient_imp_data1.png | grep "flag" ``` **flag{crucialfirstaid_you1_f0und_Me}** That's all folks - Electro