HackIM 2012 Wormholing Write-up

Hey! This is the writeup on wormholing.
Essentially, it allows you to score 1st place without solving any tasks :)

Wormhole is a mechanism built-in to HackIM 2012 taskboard, that allows the exchange of points and solved tasks between two players. Additionally, only one side’s consent is required, so it can be used to effectively steal someone else’s progress in solving tasks.

As we see, scoreboard sets two cookies upon sign-up:
1. ‘PHPSESSID‘, which is a standard PHP session id and has a unique random value for each session. Session is used to store login info and current solved tasks (dunno why it is cached in the session btw :))
2. ‘elohmrow‘, which has a unique value for each user. ‘elohmrow‘ is a reverse of ‘wormhole‘ ;)
To wormhole someone, we need to change our value of ‘elohmrow‘ cookie to value that belongs to another player.

There are 3 ways to obtain another’s cookie, from least powerful to the most:

1. Sign in into scoreboard as the target user, so we get his cookie value straight from scoreboard. However, this requires his password, and brute-force is hard because of ReCaptcha. My first wormholing was done using this technique, i tried password equal to username. User “bbbbb” turned out to have it.

2. Steal victim’s cookies using XSS. ‘elohmrow‘ cookie doesn’t have httponly flag set, so it can be accessed using client-side JS. We can use an XSS in Web Lvl 3 registration function. Exploit: http://img.uploads.su/a8s0oq0.png (sends cookies to http://vos.uz/qwe?….) This was the method that succeded on “danny” (Dhanesh K, who has been declared the winner of CTF :) congratz!)

3. Examine the contents of ‘elohmrow‘ and receive ability to generate such cookie value for an arbitrary player. Let’s take a look at what’s inside the cookie. For example, for my username, ‘vos‘, this cookie has a value of

OTM4NmFiZmVkYjlmODg0ZDZlZmE=

Looks like a base64ed value, right? Let’s decode.

base64_decode('OTM4NmFiZmVkYjlmODg0ZDZlZmE=') == '9386abfedb9f884d6efa'

Alright, so it’s some hex string under base64. Hex string looks pretty random, but if we try different hash algorithms on some of our user characteristics, we can see this:

sha1('vos') == '9386abfedbb94b7a50029f884d6efa18b5686198'

This is it! The hex value in the cookie is composed of two parts of SHA1’ed username! And usernames are lying clear-text at the scoreboard ;)

So let’s try to wormhole someone who didn’t get pwned by our XSS exploit :) For example, ‘n2n‘, who completed all the tasks the first one.

sha1('n2n') == '8cfddffee39345a7d9bae7299340aafb3bea24a1'

Now let’s take the same parts of this hash that we see were taken to create our value. They are chars 0..9 and 20..29. We get the value and encode it with base64:

base64_encode('8cfddffee3e7299340aa') == 'OGNmZGRmZmVlM2U3Mjk5MzQwYWE='

Now we substitute our wormhole cookie with the new value, and see “You found a wormhole” message :) And all the solved tasks of n2n are now belong to us :D

Leave a Reply

Your email address will not be published.