I think we can all agree that most of us grew up watching the iconic cartoon Tom & Jerry. Every kid would feel that surge of adrenaline during the thrilling chases and chaotic conflicts between the mischievous mouse and the ever-determined cat. The excitement of those scenesโthe heart-pounding moments of escapeโsometimes felt almost real. But then, I heard a little rumor: what if all those chases were fake? What if Tom and Jerry were actually friends all along? That revelation shook me. I had no one to ask about this mind-bending twist, so I decided to take matters into my own handsโI created a web app to settle this question once and for all. I know the truth now. Do you think you can uncover it too? https://chal.acectf.tech/Webrypto/
๐ฏ Challenge Files & Infrastructure
Provided Files
1
Files:None
๐ Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
We are directly shown the PHP source code of the page, which takes two GET parameters: tom and jerry. Then, a check is performed on the md5 hash generated by concatenating ACECTF . tom and ACECTF . jerry (in PHP, . is the concatenation operator). So, if the md5 hash generated from the concatenation of ACECTF . tom is equal to the hash generated from the concatenation of ACECTF . jerry, it prints the flag. However, as we can see, another check is applied first, verifying that tom and jerry are different. Initially, I thought of an md5 collision, since it is vulnerable to this type of attack, but soon after, I reconsidered and tried with a Type Juggling. Let’s not waste time and move on to the exploitation phase.
๐ฌ Vulnerability Analysis
Potential Vulnerabilities
PHP Type Juggling
๐ฏ Solution Path
Exploitation Steps
Initial setup
Type Juggling can be performed when there are no specific checks on the type of data being entered. Indeed, in the parameters, we can also pass an array by specifying parametername[]. This way, the data type entered is the same for both parameters, tom and jerry. Let’s move on to the next phase..
Exploitation
We need to send different parameter values, for example, we can send tom=a and jerry=b. However, by also using Type Juggling, the content is different, but the md5 is generated from an empty array. Since in both cases we are passing an empty array, the md5 generated will certainly be the same. Therefore, by sending the parameters tom[]=a and jerry[]=b, we will be able to get the flag. (https://chal.acectf.tech/Webrypto/?tom[]=a&jerry[]=b).
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
The automated exploit makes a GET request sending the parameters tom[]=a&jerry[]=b as already mentioned in the exploitation phase, and then extracts the flag from the response using a regex.
