 What's going on everybody my name is John Hammond a quick video just kind of spur the moment thing I just got this message from Murph Assange I suppose is how to pronounce that name and he was asking hey do you remember the boot to root easy PHP challenge and I was like No, I don't Exactly have that just readily accessible in my memory. He says all right It was a challenge about PHP and like loose comparison vulnerabilities when you use two equal signs rather than three for strict type comparison or strong comparison So he said hey, I have a challenge. That's pretty similar to it Do you mind taking a look at it? So I fired it up and I looked through it looks like what we have here is some PHP source code That's displayed for us with just a little parameter that you can supply Maybe by default it didn't show that and if you look at the source it says oh you could supply Question mark source and it will go ahead and supply that for you. So there we go now We can see okay We have the flag included as in it's a variable we can probably access eventually in the code Looks like it'll display the file for us if we supply that source argument or that source variable like we did And then we need to make sure we supply an MD 5 Get variable otherwise nothing happens if we do supply that MD 5 variable it will hash it with an MD 5 algorithm and whether or not we get that correct or incorrect if they are Equal to each other with loose comparison with weak comparison using only two equal signs We'll get the first part of the flag. Otherwise it will yell at us and we also need to supply MD 4 Which is another hashing algorithm similar to MD 5? different And I say if you include that and you have the exact same condition where your hash is equal to what you supplied again Loose comparison you can go ahead and grab the second part of the flag. So just two tests. We need to run through It doesn't seem extremely difficult But you just kind of have to be able to identify that this is loose comparison in PHP and know some of the magic hash tricks So and and hashing collisions that can happen in PHP because of the way that this type juggling or how weak Comparison can be used and abused So I said hey you actually determine these MD 5 and MD 4 collisions And you can use that PHP type juggling really to take advantage of that So you could probably enter a string that would hash to that zero e prefix and that PHP will assume is a number Followed by a bunch of numbers following that that you would expect to see in a hash like a 32 bit or 32 character line Tash and if those are all numbers and PHP using loose comparison will read that Oh, it's like some scientific notation representation. This is a number not a real string And because of that loose comparison, it's not going to care that this is a string or That this is a string because they're not going to be caring about the type It'll just kind of also consider it a number So interesting quick bug that I'm not going to deep dive into some of the documentation But if you were to Google PHP loose comparison weak comparison to equal signs You can track down more about it and actually he asked for some information like hey Can you show me some of these things so I googled these did the googling for him and there are some discussions on it and Same thing with magic hashes and here Yeah, so magic hashes are if they are considered zero e they're also equal to the string zero and that they are zero Okay, I also included my repository Katana ctf Katana the documentation side of it not the utility side of it that would explain or give some examples for here Are some PHP magic hashes? I have a few listed already for md5 all of these are numeric and then I guess just alphabet side and then zero e is the resulting hash Same thing for Shaw one in case you ever see that and same thing with md4 and I noticed oh in my md4 collection I actually have some Plaintext that still start with zero e so PHP will consider that a number and the result of course is zero e I don't have that for md5 so that wasn't ready to just spin in and run I figured well. We have to go ahead and calculate that so We can do that we can go ahead and do it he won't join discord server and I said yeah Let me go ahead and help you figure out that md5 collision. So let's just make something for that Make directory things cd things double ape dot pie totally off the cuff and Let's make this a Python 3 script I promise I can type let's get md5 from hashlib and Let's go ahead and import some Ability how I keep typing in product Combinations with Replacements we can zoom out on that. I don't think it needs to be that huge for you and let's go ahead and import string So okay now we want to do is go ahead and grab the start of what all of these should begin with right? Zero e needs to be that prefix of PHP thinks that it's a number and then we can go ahead and say Our pool of numbers that we're going to work with for determining Just whether or not we can grow a brute force hash that we can try and generate what will have a PHP hash or an md5 hash that will be zero e and then all numbers so our Original plain text also has to start with that zero e and be filled with numbers It doesn't matter the length because they're going to end up hashing it in the comparison won't matter So we know that that's the pool of characters will work with so we will go ahead and create a set of combinations with a Growing length because we want to try and brute force this so I'll do for I in range of one to a random number that we can increment If we want to later on but we'll do combinations with replacement of Our pool of numbers that we want to work with the characters that we'll use with the length that we're growing So that we have a bunch of these so let's go ahead and Go through each of them and we'll say the to hash is going to equal our start plus the Empty string Joining together so we just convert the tuple that our combinations with replacements will return to us as a To hash good. So if I already go check that out for us We can Python 3 ape and now we're generating what we could use as our plain text and we'll just brute force through with them So that's nice and easy for us now. We'll go ahead and hash them We'll say M can equal just an MD5 object We'll go ahead and update it with the string that we want to hash and we'll go ahead and grab the Then hash or with the new hashes. That's going to be M hex digest I think that needs to be bytes for Python 3. Yep, it does. So let's go ahead and encode that as the utf 8 Or whatever encoding seems to get it to work because I wrestle with that way too often So now that we have hashed it we can determine if then hash Starts those first two characters are equal to our start as we need and then hash to following that is Numeric, it's just numbers following that if that's the case we can print. Hey, we got one that Meaches the criteria that we need we can go ahead and print out. Let's use an F string here To hash goes to then hash and let's put an input statement so we can break that Okay, so that's kind of a small pool for us to be brute forcing through and we're continually grow through that And I know that will work for us. So let's go ahead and run that We don't need to print out any of those other things anymore. So let's comment that out and Crank, okay, so this shouldn't take too long if it does all pause the recording or Maybe I had the script wrong and it was a bad condition, but we'll see Okay, so now we got one it says zero e all of those numbers can map to that Which should meet the condition just well enough. So now let's go ahead and Take note of that. I'll just throw it here and let's go ahead back to this URL Take it and start to work with it in curl. So quick and easy We don't need to see the source anymore because we're just gonna try and do the real thing so we need to supply and MD5 Argument and that has to be this plain text that we want to hash So I'll paste that in and now we can see the beginning of the flag flag part zero, right PHP Collisio and We can assume now we can go ahead and grab that MD4 collision that we've got already calculated And seemingly found some from CTF atana. So that's a good utility and resource Hopefully we can say MD4 we can equal that and there we go. Now. We have the full flag in CTF PHP collision is awesome, right? Cool. Okay. Let's call that the flag and let's go ahead and mark that thing directory as Complete so cool. That is that that was just a quick burn run through script To quickly track down what hashes or what plain text will work on the same condition that we need To grab an MD5 hash that looks like something that PHP weak comparison will be fooled by and we can take advantage of that So we're just able to burn through that challenge and I guess that wasn't too hard for us I hope you guys learned something if you haven't seen this before Hope you're able to crank out some pipe on code and get a better idea for how you can brute force things really easily with Itter tools and combinations and permutations and stuff like that. So thank you guys so much for watching I hope you liked this video if you did please do like comment and subscribe all of the YouTube algorithm things and join the discord server and Yeah, thanks for watching guys. See you in the next video