 What is going on everybody? My name is John Hammond and welcome back to another video on Boot to Root CTF 2019 edition. This challenge is called EasyPHP. It is the first challenge in the web category and we're given a link here which we can go take a look at. It gives us some PHP in a highlighted file that we can actually examine and try to understand in reverse. It looks like we have some get variables that we can go ahead and pass to it. It's including the flag in a regular PHP file that we wouldn't normally be able to access. It will not actually return the information for us but it is creating that variable. So we've got get variables we can pass to it and it looks like it's going to run through some tests on each of those. We have kind of like Olympic style PHP magic tricks to run through. So the first one is actually determining whether or not we can get a string matching its MD5 hash of the string. This is the case of PHP type juggling where you'll see often PHP magic hashes and these are also referenced in CTF Katana my document where you've got anything that's 0E or a hash that starts with 0E and then followed by all numbers that is going to be treated by PHP as a number. It's actually going to be considered zero. So if we can also find a string that is equal to this but it's not using PHP strict comparison. It doesn't have three equal signs it only has two. So that allows us to try and determine a string that is also considered zero. So it also starts with 0E and that will match even if the actual contents of the string does not match thanks to PHP's issue there. So that is going to take a little bit of some time to crank out. Normally when you take a look at magic hashes you have a few that you can actually work with already. There are stuff that I have recommended in CTF Katana and I totally typed the wrong link there so let's go back to github.com and that's just John Hammond in CTF-Katana. You have magic hashes down here in PHP and you have some options that are in that form 0E and then all numbers following it. However none of these on the actual plain text side start with 0E so we will have to generate that ourselves. We can do that just with Python. It takes a little bit of time but it is possible so let's go ahead and create a script to do that for us. Get a shebang line and I am going to from md5 import md5 and what I am going to do is actually create a while loop because I want to do this over and over again we are going to want to keep track of a number I will just call it I so while true we will keep cranking on this what we will do is we will say okay the original plain text is going to equal 0E because it is going to be preceded by that 0E right and then be the number that we are working with so I will just format that in with I and then the actual hash is going to be the rendition that passed to md5. We have to create a new md5 object each time because it is going to be updating values in it so let's just do m.updates plain text and the hash will equal m.hexdigest so we can test if H starts with 0E then we know okay we have a candidate that might actually be later with digits so we will cut it up. We will say if H2 forward so removing the 0E and considering everything after that if that is a digits then we have a match so what we can do is we can print out our plain text and we can print out the actual hash that we are working with then we will break because we don't want to loop anymore at the very very end remember we have to keep iterating our number because we are just going to go until infinity. If you want to see this working what we can do is we can just print out the number that we are working with actually just use plain text and the hash and we will see if we are cranking through it so Python 8 to get it to run and you can see we are running so I am going to let this go for a little bit of time I am not going to print this out because it slows it down this takes a few minutes so I will pause the recording and get back to you once we have a hit. Okay now the script has returned we have got 0E215962017 and the hash that we corresponded with it and that matches our criteria so what we can do now is actually use that as our original foothold for step one for part one so let's actually take note of that let's just say actually in our ap.py we may as well take note we found it to be value that so now we can work with the actual web page what we can do is we can go ahead and say curl get that web page this looks like a lot of nonsense because it is the like PHP highlight file function but now we can specify our one variable and that can equal what we had as our hash we can go ahead and copy that and paste it right there now we can see the first part of the flag we have boot to root whatever and we'll move on to the next portion of this code that we have to work through so now we have one that also needs that we need to make sure hat is going to exist in our in our future parts but we've also got string two and string three to work with we test if both of these exist if they've they both been set and we want to make sure they are not the same so we are using strict comparison here string two should not be equal to string three but we can determine if the hash md5 hash with a specific salt is equal to that hash with the specific salt of the other one so that again is a loose comparison not using PHP strict comparison so we can do some type juggling here in this case there is a common trick with PHP where you don't just supply a string but you actually convert that argument into an array because when you bring that through hash with the salt you're actually gonna have to be evaluated as zero so that salt stays the same and that's going to equal the next thing however this string two string three will actually still be evaluated as that value that it needs to be so that's kind of clever an interesting trick you can see a lot of write-ups for other CTF challenges to abuse that in other locations on the internet but let's actually go ahead and work with that we'll say curl with our one value still being there we also want to have our two we can set that equal to something but we can supply these two square braces following it so that notes that okay that's an array and we'll make that value to be one or something and then we'll have three as our other variable we'll actually set that again as an array and we'll set that equal something other than what we said two at two does that make sense so now three is going to equal two as long as it's something other than what that other variable is so when we run this we have to actually go ahead and escape it inside of curl so we can if you wanted to use like some URL encoding you can do that however curl will let you just supply back takes here and then it won't consider it the wrong way so now we've got boot to root whatever it takes assuming in leet speak and we can move on so that one is cool and kind of neat but it's it wasn't too difficult at least didn't take as much time to process out as the other one the next rendition the next part here the final part looks to be PHP serialization vulnerabilities right it's trying to unserialize input that we can control so that's a bug you can see a lot of write-ups on this if you Google it a lot of techniques to talk about it however normally it's talking about a class that's defined with a PHP magic function like understore underscore or destruct or something that will actually run automatically because we want that code to end up being used in the actual object in this case what it does is actually has a temp variable and a flag variable and this get magic quotes GPC thing that just checks a setting in PHP as to whether or not it needs to properly evaluate this with slashes in there so we don't for our our payload and our exploit mentality we don't really have to worry about that we know that's going to unserialize our input though because it's just straight up our get argument that we pass to it so if we have that object what we're going to do is we're going to set that objects flag to the flag like what we would expect from our flag dot PHP file it's included and we'll test if that flag is equal to with strict comparison this time the results temp variable so that's kind of an interesting trick because we can serialize this object we can fake that object and we can control some variables here but how are we going to get it to look ahead as to what the temp variable actually is we there's no way for us to know that I tried some interesting stupid things with like eval or trying to see if we can determine what is this value going to be but the real actual like pathway here is to pass by reference and use it by reference so we're actually going to end up creating our own PHP script that will create this object serialize the data for it and and then we'll just pass that data to it so let's do that let's subtle like test dot PHP and that's going to start with a PHP notion here and we'll create a class secrets just as it has in the code in fact we can probably just even copy and paste that and just to be sanitary I guess we'll go ahead and close this PHP tags here and then what we can do is we can create a object to hold that class so we'll say new secrets and PHP and then we're going to do is we're actually going to set that temp variable to equal what the flag is because remember that has to the code it has to ensure that those are equal to each other so we'll set temp equal to what flag is and we'll do that by reference here we'll say sec and then PHP uses the arrow notation rather than the dot to actually like access and objects properties so we'll say sec temp is equal to the reference of sec flag great so now we want to do is we actually want to display out so I'll use echo here the value when we serialize this object so serialize and we'll pass in our sec object so now we can check this out what we can do is we can just run PHP 7.0 because that's the one I have installed in my case we'll give it the arguments as the file that we just created and it will create this for us so secrets is an object serialize it has some some variables it has a string temp has a string flag and it's actually using this R mode here to specify okay that is actually the notion that we we want to work work with props to I want to check out who was in the discord server props to it was props to DCA and the real lulls in the discord server for kind of helping me understand that and get an idea as to why that was working the way that was working so we have that serialized object now and if we wanted to we could go ahead and pass that in to our curl command that will now be number four however this will not work off the bat you can see we've got some quotation marks that are getting in the way especially with our curl object so what we can do is go ahead and actually URL encode that I'm gonna fire that up in Python so let's just get idle on the super super easy way let's just URL a little bit quote and then pass that in so that gives us a lot of URL encoding like percent encoding but that works just fine for us we can just spit it into curl and it'll handle it so remove everything that we had previously where we set four is equal to spit that all in and now we've got the full flag boot to root whatever it takes because I love the adrenaline in my veins super long part so you wouldn't be able to guess that so that's that that is the flag we can go ahead and submit it here and that would be however many points it was at that time but that is that challenge some interesting hurdles to jump through with PHP again a lot of PHP juggling magic hashes that you can abuse you know theoretically there's gonna be something that exists that matches that criteria abusing assault even when you can just say okay my string is really a string it's also an array goes through some of those PHP checks and some PHP objects serialization object injection there's a lot of documentation hope you guys enjoyed this hope you guys learned something if you did please do like the video like comment subscribe love to see you in that is on the discord server there's a link in description patreon paypal the whole nine arts you guys know I'm screwing up words again I'm in the video real quick bye