Points: 450

Tags: crypto 

Poll rating:


ActionRatingAuthor team
Read writeup
R3d Cr3sc3nt
Read writeup
You need to authenticate and join a team to post writeups icebooda – Feb. 15, 2017, 12:19 a.m.

The writeup isn't 100% accurate:
The bug that exists in the code is in line 8:
$hash = substr(`/home/ctf/vhash $filename`, 0, 256);
The vhash binary doesn't take a filename as input, it reads from STDIN - this is what was fixed in "VHash-Fixed". So, changing "guest" to "administrator" only worked because the vhash binary was only ever fed a null string - and the hash in the cookie was the value of a hash of no data.

An earlier check:
if(create_hmac($cookie) !== $hmac)
is what handles the actual authentication - the username doesn't matter until after the hmac check.

icebooda – Feb. 15, 2017, 12:21 a.m.

^ Sorry: referring to rawsec