Tuesday, 13 January 2015

Nullcon CTF 2015 Write up - Length Extension Attack [ Web 400 ]


It was fun playing Nullcon CTF 2015 challenges, and learnt lot of things over 2 days!
One of the challenge consist of interesting crypto attack known as "Length Extension Attack"

Referring this diagram from Wikipedia  :  http://en.wikipedia.org/wiki/Message_authentication_code


1. Sender has "Hash" i.e MAC & Message which will be sent to server.
2. Receiver receives MAC and Message
3. Receiver passes Message + Secret Key to algorithm = MAC
4. Receiver Compares new generated MAC with MAC received from Sender if matches message is authentic.

Nullcon pass at 10999 Rs

If you observe source code it has information  - Hash + Message + Length of Secrete key (19)

Pass above information to Hashpum tool which will perform Length Extension Attack to generate new hash to buy our product in 0 Rs. by appending |0

Message Format = Nullcon2015|Corporate|10999 i.e price

URL Encode new generated message from Hashpump and remove unnecessary characters "5cx"

Tamper data will show original Message & Hash

Tamper original Message and Hash with updated Hash and URL Encoded message

Forward HTTP request and That's It!.. You bought Nullcon Pass for 0 Rs.

This was interesting challenge and thought to post here on blog although CTF writ up is being published on official NullCon Site..

It was fun playing this CTF...and wish to learn more things going ahead!.


1 comment:

  1. Hey , Nice Writeup man ..!! :)
    Nice Blog man ..!! :)

    very happy to see you ..!!
    - P3t3rp4rk3r (Null Goa) - r3b00t