Password Reset Writeup | HTTP Parameter Pollution | TrollCat CTF Writeup
This is my another writeup for the challenge I made for TrollCat CTF. Well, I’m too lazy when it comes to writing part but seeing 0 solves on this challenge out of 1100 peoples(more than 480 teams), I thought I should make a writeup on this. This challenges is based on real life scenario. I have taken the idea for this challenge from a hackerone report. This challenge is based on “HTTP Parameter Pollution and Types of variable in PHP”. My another challenge in this CTF is based on “DNS Rebinding Attack”. If you haven’t read that then you can read it from here.
Challenge Name: Password Reset
Description — Our admin is a newbie in web development. He is working to develop another modern website but unfortunately he forgot his admin’s password. He knows how to store password in most secure way at the backend but we know he is a newbie so there must be a way to bypass it.
Without wasting time, lets dig into the challenge. From the description it is clear that we need to reset the password for admin. But before that we need to find password reset page. Isn’t it?
In the home page there is nothing usefull except “Log in” button. You cannot try bruteforcing the password as I have implemented the rate limit(Smart, huh!). To save your time on bypassing rate limit, I’ve given credential for the user account in robots.txt. With this credential, you can easily log in as user account.
In user account, there is nothing different than home page except account tab which say this is user account.
I hope you’ve altered the cookies for this page. But do you know, that cookies has no effect(xD). But wait, Have you checked the url and parameters while logging as user?
The “id” parameter in the url looks suspicious, isn’t it? I know most of you already tried to change it’s value from “id=0 to id=1” but did you got admin panel? or you tried something else like SQL Injection.
Let’s not waste time again on random stuffs. This app vulnerable for “HTTP Parameter Pollution”. Most of you have probably heard about this bug. At least bug hunters most likely aware of this bug.
HTTP Parameter Pollution
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
For more info, Read this arcticle.
Let’s back to the challenge again
This is the url which gives you user panel.
Now you can change this and add one more id=1 to get admin panel.
Here’s the crafted URL:
You’ll get into admin panel. Click on account button. This will alert you that it is admin account and redirect you to password reset page. No one is reached till here also :(
Now this is the main part of this challenge. You need to bypass the old password field and reset the admin password to get flag as mentioned in the description.
There are few methods that I learnt while doing Bug Bounty and CTF’s. I’ll mention few of them here. If you know more, then comment below.
- Remove Old Password Field completely
- SQL Injection
- Response Manipulation
- Change request method type
But none of this work here. You know that this web app is made in PHP. Look at the given hint and description.
With a simple google search, you’ll get that it is hash. Making hash of password before storing it is the most secure way to store passwords.So what next? Did you got something?
Yes, in PHP SHA1 hash of “array” will not execute and hence the old password verification could be bypassed. The values (old password) are being entered through GET request parameter , and hence we can control the value as well as the type of the variable ,if we send variables (old password) of type array then we can bypass the SHA1 check, as that SHA1 check will only be executed if the type of the variables (old password) is string.
Read this Hackerone Report: https://hackerone.com/reports/792895
You can see parameter “old” is if type array. Pass array variable in url and you’ll get the flag.
Hope You’ve learned something from this challenge :)
If you have any queries, then connect with me
Connect with me