Rating: 0

icebooda – Feb. 15, 2017, 12:21 a.m.

The writeup isn't 100% accurate:
The bug that exists in the code is in line 8:
$hash = substr(`/home/ctf/vhash $filename`, 0, 256);
The vhash binary doesn't take a filename as input, it reads from STDIN - this is what was fixed in "VHash-Fixed". So, changing "guest" to "administrator" only worked because the vhash binary was only ever fed a null string - and the hash in the cookie was the value of a hash of no data.

An earlier check:
if(create_hmac($cookie) !== $hmac)
is what handles the actual authentication - the username doesn't matter until after the hmac check.


noraj – Feb. 27, 2017, 8:02 p.m.

icebooda : thx