The SHA Juggler
Dive into the depths of "The SHA Juggler," a mysterious web challenge that tests your prowess in PHP type juggling, cunning encoding techniques, and web exploitation. Your mission is to outwit the system, leveraging the peculiarities of PHP type comparisons, decipher the applied encodings, and exploit vulnerabilities to retrieve the concealed flag. Can you navigate the enigmatic interplay of types and encodings and emerge victorious?
Solution
On viewing the page source (
Ctrl + U
), we find some hex data in thescript
tagUsing CyberChef, decoding with hex first and then base64 we get this
From the code we can conclude the following things:
you_found_me.php
: possible php page$_GET['hash']
: looking for ahash
GET parameter in the URL$hash = sha1($_GET['hash'])
: Computes the hash SHA1 hash of the value provided in thehash
parameter in the URL and stores it in the$hash
variable.$target = sha1(10932435112)
: Computes sha1 hash of10932435112
and stores it in$target
variable which evaluates to0e07766915004133176347055865026311692244
Below block of code compares the
$hash
and$target
hash values, but the comparison which is taking place is a LOOSE COMPARISON.There are two modes of comparison in PHP: STRICT and LOOSE.
In Loose comparison, Only value is checked and NOT the type of the variable.
So, if we provide a string whose hash value starts with
0e
in the URL as a GET parameter, we can get the flag.Using this repo, we see that there are many hashes whose value start with
0e
.Our final payload evaluates to this:
Appending the payload to the URL gives us the flag.
FLAG
Last updated