SIGINT CTF 2013 - notes Writeup
Another challenge from SIGINT CTF. The organizers give to us the sourecode of this little CMS where, after a registration, you can create a message that only you and the admin can see. The aim of this one was to login as admin and read his secret (flag). After login with mine account I see that 3 cookies has been created: login_time, login_token and login_name. Well, login_time is as self-explanatory as login_name but login_token isn’t. This is a piece of code that may help you to understand how it is generated:
def login_token(salt) check_authorized password_data= Data.new(@user_dir+"password_hash") password_data.readlock do Digest::SHA256.hexdigest(password_data.read+salt) end end
So login_token take the the time has seed. In login_token function we see another variable initialized that is password_data. As you may understand its a file (source/data/users//password_hash) containing a string: $2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O
This one is from admin user that concatenated with the salt(login_time) and SHA256’d gives the login_token. So generating one that fit to admin is extremely easy. Just took the good login_time from your cookies after logged in with your account and put it in this piece of code:
#!/usr/bin/ruby require "digest" password_data="$2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O" salt="1373119012" login_token = Digest::SHA256.hexdigest(password_data+salt) puts login_token
and it will give you the login_token. Now replace it with the older one setting login_name as admin and you’ll be him.