Writeups

View on GitHub

Circus

Category : Web

TLDR; git repository leak, and PHP Type Juggling (magic hash)

Used Git Dumper to leak the repository.

In the .gitignore, we see

backup.sh
backups

So, went to https://circus.tjctf.org/backup.sh

Found :

#!/bin/bash

mysqldump -u root -h mysql -p circus users > ./backups/users.sql

Figured, we can access the DB file from here. So, went to https://circus.tjctf.org/backups/users.sql

And we can!.

Got the users db with 1000 users and password hashes.

Found index.php,

<?php 
	require __DIR__ . "/../include/flag.php";

	session_start();
	$error = "";
	mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
	if (isset($_POST["username"]) && isset($_POST["password"]))
	{
		try
		{
			$mysqli = new mysqli(NULL, NULL, NULL, "circus");
			$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ?");
			$stmt->bind_param("s", $_POST["username"]);
			$stmt->execute();
			$res = $stmt->get_result();
			if ($res->num_rows === 0)
			{
				$error = "Invalid credentials";
			}
			else
			{
				$row = $res->fetch_assoc();
				if (hash('sha256', $_POST["password"]) == $row["password"])
				{
					$_SESSION["id"] = $row["id"];
					$_SESSION["name"] = $row["fname"];
				}
			}
		}
		catch (Exception $e)
		{
			$error = "Error signing in";
		}
	}
?>

We find a weak compairson between the hash and the password!

Time for using a magic hash (type juggling).

In users.sql, we find a the username with the hash that matches the regex : ^0e\d+$

We find the entry :

(773,'Andon1956','0e75759761935916943951971647195794671357976597614357959761597165','Rosie','Kelly')

We login with the username Andon1956 and a magic hash keyword