mountain (web)
We are given a website that implements basic login and register functionalities. I don’t have any screenshots, but this challenge is:
- Register an account using an email with the domain
@wargames.gov.my
- Get a randomly generated password on the webpage
- Get the verification code from the email to verify the account
- After verifying the account, login to get flag
Since nobody would own a @wargames.gov.my
email, there would be no real way to get the verification code via email. However, the challenge provides the code used to generate the password and verification code.
<?php
function genpassverify($length = 10) {
$verify_code = mt_rand(1000000000,9999999999);
mt_srand($verify_code);
$acc_passwd = mt_rand();
return $acc_passwd.':'.$verify_code;
}
?>
Here we see that the both the verification code and password are generated with the mt_rand
function. Mersenne Twister is not a cryptographically secure RNG.
The verification code is used as the seed (mt_srand
) to generate the password. Since we are already given the password, we just need to find the seed that makes mt_rand
return this password.
And there’s a PHP mt_rand
cracker that can be found at openwall/php_mt_seed.
Solution
First, I registered for an account, and got this:
Success! Hello noob3, your password is: 992416798
You need to activate your account first. Check your email for activation/verification link.
The link might look something like: https://mountain.wargames.my/verify.php?username=henson&verify=1929258756
Then, I ran the cracker with my password:
$ ./php_mt_seed 992416798
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0x8c000000 - 0x8fffffff, speed 8699.3 Mseeds/s
seed = 0x8e119748 = 2383517512 (PHP 3.0.7 to 5.2.0)
seed = 0x8e119749 = 2383517513 (PHP 3.0.7 to 5.2.0)
Found 2, trying 0xfc000000 - 0xffffffff, speed 8289.9 Mseeds/s
Version: 5.2.1+
Found 2, trying 0xd4000000 - 0xd5ffffff, speed 80.7 Mseeds/s
seed = 0xd43450a0 = 3560198304 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xd43450a0 = 3560198304 (PHP 7.1.0+)
Found 4, trying 0xfe000000 - 0xffffffff, speed 80.0 Mseeds/s
Found 4
Then I verified my password at https://mountain.wargames.my/verify.php?username=noob3&verify=3560198304. And finally logged in to get flag.
Success! Logged in. Keep this somewhere safe.
wgmy{d22772b35b8e80088f41e8662cc3fc81}