Rating: 5.0

# Mapl Story

Mapl Story was part of the MeePwnCTF Quals 2018 and consists of a webpage where you can name a
"character" and train a pet a command. You get the code but the config is censored.

## Have a look around

First of let's create an account, e.g. [email protected]/foobar123, set any name, we'll change that later.

Sign in and have a look at your cookies, you'll see your PHPSESSID and a _role.
_role is generated using either sha256("admin".$salt) or (in this case) sha256("user".$salt).
We need the salt to continue here.

Have a look around the few pages on the site. The game page is completely irrelevant, just a gimmick.

## File inclusion vulnerability

There is a file inclusion vulnerability in index.php, so have a look at e.g. /index.php?page=/etc/group.
Unfortunately it uses a GET variable which is heavily escaped so for now there isn't really much we can
directly do with this bug.

## Let's get salty

Let's have a look at /index.php?page=/var/lib/php/sessions/sess_PHPSESSID (replace PHPSESSID).

You'll see a variable called character_name.
character_name is AES-128-ECB encrypted data using openssl_encrypt($data.$salt,"AES-128-ECB",$key). Since AES-128-ECB is working on 16-byte blocks and we control the start of the string (it's the character name you can update on your settings page!) we can attack it by brute-forcing byte by byte. We start of setting a character name like AAAAAAAAAAAAAAA (15x'A') and we'll look at the first 32 characters of the hash in the session file, now we start trying printable characters at the 16. position, we'll find a hash match at AAAAAAAAAAAAAAAm so we now the salt starts with m. Next we do the same thing with AAAAAAAAAAAAAA (14x'A') and will get the hash and try characters again, the next match will be AAAAAAAAAAAAAAms. We'll continue this until we finally get the salt: ms_g00d_0ld_g4m3. ## Becoming admin Becoming admin now is as simple as writing the result of sha256("admin"."ms_g00d_0ld_g4m3") into our _role cookie. After refreshing the page you'll see the admin link appearing in the navigation bar. sha256("admin"."ms_g00d_0ld_g4m3") => a2ae9db7fd12a8911be74590b99bc7ad1f2f6ccd2e68e44afbf1280349205054 ## Give yourself a pet In the admin menu you have to give yourself a pet. This will allow you to train it commands on the character page, which is just writing a text-file under "uploads/".md5($salt.\$email)."/command.txt.
A lot of characters are filtered and you can only write 19 characters, so you can't really do much with this
alone.

19 characters is just barely long enough to fit a base64-encoded `

Original writeup (http://blog.redrocket.club/2018/07/15/meepwn-quals-2018-maplstory/).