December 12, 2021

mountain (web)

We are given a website that implements basic login and register functionalities. I don’t have any screenshots, but this challenge is:

Register an account using an email with the domain @wargames.gov.my
Get a randomly generated password on the webpage
Get the verification code from the email to verify the account
After verifying the account, login to get flag

Since nobody would own a @wargames.gov.my email, there would be no real way to get the verification code via email. However, the challenge provides the code used to generate the password and verification code.

<?php
function genpassverify($length = 10) {
$verify_code = mt_rand(1000000000,9999999999);
mt_srand($verify_code);
$acc_passwd = mt_rand();
return $acc_passwd.':'.$verify_code;
}
?>

Here we see that the both the verification code and password are generated with the mt_rand function. Mersenne Twister is not a cryptographically secure RNG.

The verification code is used as the seed (mt_srand) to generate the password. Since we are already given the password, we just need to find the seed that makes mt_rand return this password.

And there’s a PHP mt_rand cracker that can be found at openwall/php_mt_seed.

Solution

First, I registered for an account, and got this:

Success! Hello noob3, your password is: 992416798
You need to activate your account first. Check your email for activation/verification link.

The link might look something like: https://mountain.wargames.my/verify.php?username=henson&verify=1929258756

Then, I ran the cracker with my password:

$ ./php_mt_seed 992416798
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0x8c000000 - 0x8fffffff, speed 8699.3 Mseeds/s
seed = 0x8e119748 = 2383517512 (PHP 3.0.7 to 5.2.0)
seed = 0x8e119749 = 2383517513 (PHP 3.0.7 to 5.2.0)
Found 2, trying 0xfc000000 - 0xffffffff, speed 8289.9 Mseeds/s
Version: 5.2.1+
Found 2, trying 0xd4000000 - 0xd5ffffff, speed 80.7 Mseeds/s
seed = 0xd43450a0 = 3560198304 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xd43450a0 = 3560198304 (PHP 7.1.0+)
Found 4, trying 0xfe000000 - 0xffffffff, speed 80.0 Mseeds/s
Found 4

Then I verified my password at https://mountain.wargames.my/verify.php?username=noob3&verify=3560198304. And finally logged in to get flag.

Success! Logged in. Keep this somewhere safe.
wgmy{d22772b35b8e80088f41e8662cc3fc81}