lost-pass
SRC: https://library.m0unt41n.ch/challenges/lost-pass
This challenges requires us to auth as admin, too obtain the flag within the dashboard page. After skimming the code we can see JWT session tokens, a not visible in frontend registration function and so on. This misslead me to waste quiet some time verifying they are not vulnerable. The error_log function is very interesting tho, it had a time.sleep of 1 second in it and is overall really odd, it screams time based attack.
This error_log function is used within the password verification function, which is again VERY odd, it checks char by char if its correct, if not it will trigger the error_log function with a delay of 1 second.
The trick lies within the try & except block, if we submit 1 char, like a and it missmatches it will trigger the 1 second error log fucntion, but if that 1 char is correct it will not trigger the error and continue too the next char. But if we supply only 1 char we will get an index error on second char, resulting in the return false. (we wont be logged in, but there also wont be a 1 second delay).
This allows us now too bruteforce char by char the correct password.
SRC: https://library.m0unt41n.ch/challenges/lost-pass
This challenges requires us to auth as admin, too obtain the flag within the dashboard page. After skimming the code we can see JWT session tokens, a not visible in frontend registration function and so on. This misslead me to waste quiet some time verifying they are not vulnerable. The error_log function is very interesting tho, it had a time.sleep of 1 second in it and is overall really odd, it screams time based attack.
Python:
def error_log(username, password):
if username == "admin":
f = open("error.log", "w")
time.sleep(1)
f.write(f"SOMEONE TRIED TO LOGIN AS ADMIN USING {password} !!!1!11!!")
f.close()
return FalseThis error_log function is used within the password verification function, which is again VERY odd, it checks char by char if its correct, if not it will trigger the error_log function with a delay of 1 second.
Python:
def check_password(username, hashed_password, password):
hashed_password = hashed_password.split(",")
for x in range(len(hashed_password)):
try:
if hash_char(password[x]) != hashed_password[x]:
return error_log(username, password)
except:
return False
return TrueThe trick lies within the try & except block, if we submit 1 char, like a and it missmatches it will trigger the 1 second error log fucntion, but if that 1 char is correct it will not trigger the error and continue too the next char. But if we supply only 1 char we will get an index error on second char, resulting in the return false. (we wont be logged in, but there also wont be a 1 second delay).
This allows us now too bruteforce char by char the correct password.
