NDH 2015 Weshgrow Writeup
Point = 300
Category = Crypto
By openning the url we redirected to following link:
http://weshgrow.challs.nuitduhack.com/?hmac=ca8473d35a80a5ca4e9f3555c2869f71
As we know HMAC is a cryptographic message for authenticating using a secret key. So this has been made of something.
Also we could find another HMAC in the page source as you can see:
http://weshgrow.challs.nuitduhack.com/admin?hmac=fac0887096a54ac497d968daf4c4fe0b
if you open the /flag address without the purposed HMAC you see redirection to address+"#missinghmac"
.
So this could be HMAC of pages and we should prepare a HMAC for flag
.
By going further into login page, we noticed after submiting the form, HMAC of the password sent to the page not the password itself. it used BHE class in bhe.js
as mentioned “Best Hash Ever”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
|
The Hash like md5 has four state variables and multiple rounds which in each round based on previous values and variables, formulas generate a new state variables and change them. Also it has four initialize state value as default.
In this Algorithm each round is for every character of inputs which at the end output produced by hex and concatenation of final state variable.
But there are some flaw in the algorithm such as not using length of input and …
This means if we know the state variable value for some string s
, we can continue the rounds and produce the output of s+x
for any x
. this attack mentioned as hash length extension attack
.
It’s obvious that we can obtain state variable’ value from HASH(s). The reader should notice that in the bhe.js
Big Endian byte order has been used.
So we have:
1
|
|
based on what discussed earlier and some knowledge about HMAC our scenario is:
1
|
|
which page name will be used as message
. As you saw we have valid HMAC for empty(NULL) page name, so:
1 2 3 |
|
In order to obtain the proper HMAC i wrote a python script but it can be done by changing default value in js too.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
|
by executing the script we have the following HMAC:
1 2 |
|
by opening the following url we have the flag:
/flag?hmac=3f6933240ae234edddc27544d949238c
FLAG ? FLAG ! Can_I_haz_s3cureD_hm4c_plz?
PS: There is a solution as PDF file for Persian
Users too which can be obtained from here.
by f02