[Challenge] Can you find the bug?

chunky · 02-26-2018, 08:57 PM

Hello folks!
So a friend just sent me that piece of code with the explanation "The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.". There is an important bug in it that's making the whole request source verification useless.
Let's see if anybody is able to find it Wink

Code:
<?php

if(empty($_POST['hmac'])) || empty($_POST['host']))

{

 header('HTTP/1.0 400 Bad Request');

}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))

 $secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if($hmac !== $_POST['hmac'])

{

 header('HTTP/1.0 403 Forbidden');

 exit;

}

echo exec("host ".$_POST['host']);

?>

Pikami · 02-26-2018, 09:16 PM

Holy shit this was hard...
I tried a couple of things and than remembered another cool thing and solved it.
I know the answer but I don't want to spoil it for anyone else so I wont post the solution here, but if someone wants the solution you can PM me.

chunky · 02-26-2018, 11:03 PM

I thought the exec would be the dangerous part in the beginning but then I noticed you can just use a small trick to set the secret to something predictable haha but yea it was definitely harder then the average challenges because I didn’t expect the issue to be where it actually is.

ryzen · 09-29-2018, 08:49 PM

Got it almost immidately after your hint. This might be a good ctf question.

sunjester · 12-02-2018, 06:45 PM

The only error was the parenthesis at the top, the rest, im not quite sure what your wanting lol, its just a post request to find the IP of a domain

daizu · 02-12-2019, 04:08 PM

Easy i know the bug after reading the comments

AustinBoot · 02-12-2019, 04:20 PM

(02-12-2019, 04:08 PM)daizu Wrote: Easy i know the bug after reading the comments

This is from 2 months ago, just to let you know Wink

.