1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help Brain conquer the world

Discussion in 'PHP & Perl' started by jazzc, May 23, 2013.

  1. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    I am a strong believer that security in programming is a mindset and not an add-on. I will be making a few posts with non standard security problems in PHP. Of course, they are not mine, I just tweaked them enough to hopefully avoid easy detection. Credit goes where it 's due.

    If you manage to solve them by yourself (i.e. without your googling sk14z), big kudos :)

    Here is the first one - you must help Brain send the message to Pinky to start the world conquest. Can you do it?

    PHP:
    $cachedCredentials unserialize($cookieVal);

    // Assume we successfully retrieved $user & $pass before somehow
    $user 'admin';
    $pass 'root11';

    if (
    $cachedCredentials['username'] == $user && $cachedCredentials['password'] == $pass) {
           
    $loggedIn true;
    } else {
           
    $loggedIn false;
    }

    if (
    $loggedIn) {
         
    Pinky::conquerUniverse();
    }
    Brain has a big collection of cookies in the kitchen - but he 's at a loss of which one to use. Come on, bake the proper one :)

    Edit: Brain has no knowledge what the username/password combo is. You can't use that info as a solution. I 've put it there to signify just the fact that there program successfully gets the stored value from somewhere (db, file, api, whatever) with some code we don't need to know for our purposes.

    Edit 2: PM me the solution, don't post it :)
     
    • Thanks Thanks x 6
  2. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,250
    Likes Received:
    3,502
    Occupation:
    Full time IM
    The devil is in the details... is that cookie encrypted?
     
    • Thanks Thanks x 1
  3. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    Extracting the value from the cookie doesn't matter, assume all the necessary steps have been successfully done already and the value we need is now comfortably sitting on $cookieVal.

    I should have cleared that up, thanks :)
     
  4. Panther28

    Panther28 Elite Member

    Joined:
    May 2, 2010
    Messages:
    2,269
    Likes Received:
    3,409
    Occupation:
    Internet.
    Location:
    Internet.
    ehhhhh...

    Brain: (select best cookie)
    if (cookie) = (best taste) true
    If (cookie) = (biggest size) true
    Else
    (give to cookie monster)
    Now
    Brain (encrypted cookie bag) == Pinky's (hand)
    Then
    (World conquest)


    am i close?

    :)
     
    • Thanks Thanks x 1
  5. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    cm.jpeg

    Nobody can resist the Cookie Monster! :)
     
    • Thanks Thanks x 3
  6. saxgod

    saxgod Regular Member

    Joined:
    Sep 19, 2010
    Messages:
    351
    Likes Received:
    337
    I don't understand your question. At first I though I should provide you with
    PHP:
    a:2:{s:8:"username";s:5:"admin";s:8:"password";s"root11";}
    But then you say that the cookieVal is already set to the correct values...

    So I don't understand what we should be trying to do ?
     
    • Thanks Thanks x 1
  7. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    Obviously Brain does not know that username is admin and password is root11 - those where just placeholder values, could have been anything.

    He needs you to trick the authentication check without knowing the username/password.
     
  8. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    Update: madoctopus sent me his solution, we have the first winner!

    Congratulations :)

    Keep the ball rolling, send me your ideas!
     
    • Thanks Thanks x 1
  9. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    lancis is the second one to get it right!

    Congratulations :)
     
    • Thanks Thanks x 1
  10. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,126
    Likes Received:
    7,926
    Occupation:
    I don't have a job
    Location:
    .............
    [​IMG]
     
    • Thanks Thanks x 14
  11. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,250
    Likes Received:
    3,502
    Occupation:
    Full time IM
    I personally like it more when trying to login with admin/admin or admin/test actually works. Is priceless.

    That aside problems like this have to do more with bad coding which im also guilty of at times. Real badass hackers though figure shit out in PHP functions themselves. Saw an example once where by sending some data that looked like garbage through POST would essentially trigger PHP to run some code from the memory in ways it wasnt supposed to. Basically jump the program stack pointer to some code you posted. Thought that was sick.
     
  12. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    These are exploits on a lower level, the Zend Engine that PHP is built upon.
     
  13. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    artizhay is now on the winners list!

    Congratulations :)
     
    • Thanks Thanks x 1
  14. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,080
    Likes Received:
    2,886
    Gender:
    Male
    Ahha interesting :D
    What's next?
     
  15. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    How about solving this one before the next ones? :)
     
  16. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,080
    Likes Received:
    2,886
    Gender:
    Male
    Ok lemme read the whole thread :)
    Sorry for being a lazy bum lol :p
     
  17. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,080
    Likes Received:
    2,886
    Gender:
    Male
    Ok this one looks easy.. Sending you a PM.. Please check :)
     
  18. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,477
    Likes Received:
    10,221
    g0g0l is now in the winners list!

    Congratulations :)
     
  19. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,080
    Likes Received:
    2,886
    Gender:
    Male
    Thank you :)
    This one was really tricky by the way and I almost always do this mistake :D

    Waiting for the next one to come. Subbed :)
     
    • Thanks Thanks x 1
  20. Panther28

    Panther28 Elite Member

    Joined:
    May 2, 2010
    Messages:
    2,269
    Likes Received:
    3,409
    Occupation:
    Internet.
    Location:
    Internet.
    Will we be able to see the solution and why it works?