M0Lecon 2021

Lucky Fall

Solved By : thewhiteh4t

  • we have a simple login page
  • JSON body is sent to the server which contains username and password
  • Unusual thing here is that the error is shown in a javascript alert

  • the page source looked normal so I proceeded to intercept the login request with burpsuite
  • if we remove the name key value pair from JSON body we can see the following error :

  • this error reveals few things to us :
    • python flask backend is used
    • the exceptions are showed in the alert pop up
    • name key value pair are required
  • after this I tried to remove the password key :

  • here we can see an if condition which looks like the logic behind the login function
  • It is calculating the SHA256 hash of concatenation of password and salt
  • then it compares it with a hash value
  • but if we take a look carefully we can see that the values of salt and hash are being taken from the JSON request body
  • so we can set our own salt and hash just like username and password
  • I wrote a small python script to get the flag
  • here username, password and salt can be any values, we just need to satisfy the if condition to get the flag
#!/usr/bin/env python3

import requests
import hashlib

url = 'http://lucky-fall.challs.m0lecon.it/'
uname = 'admin'
passw = 'password'
salt = 'salt'
Hash = hashlib.sha256((passw + salt).encode('UTF-8')).hexdigest()

json_body = {
    'name': uname,
    'password': passw,
    'salt': salt,
    'hash': Hash

r = requests.post(url + 'login', json=json_body)


Published on : 17 May 2021