Your friend Peter has built a new online transaction and banking service called AAA Banking. He claims it is extremely secure, using SHA256 hashing to create and verify HMACs. To get you onto the platform, he has sent you $20 for free! Try it out now! Check out the platform!
You are given the following details:
Details: `ZnJvbT1QZXRlciZhbW91bnQ9MjA=`
Verification Hash: `24a2efde8a32e7046aaeb11eb32a37ecf49937ef84c7a6b4bd943556fd2369cd`
However, as a White Hacker, you are obviously sceptical of such a website.
Knowing that your friend is also an Admin and has over millions of dollars, can you get him to send you a million dollars as Admin?
Note: You DO NOT need any form of brute force or directory busting to complete this challenge!
Visiting the website, we see that the hash is generated by prepending a secret in front of the details with a 19 byte secret. This is precisely the usual setup for a length extension attack. Decoding the details as base64, we see it is from=Peter&amount=20
, hence we likely want to append &from=Admin&amount=1000000
.
Running hash_extender, we get
> ./hash_extender --data "from=Peter&amount=20" --append "&from=Admin&amount=1000000" --signature 24a2efde8a32e7046aaeb11eb32a37ecf49937ef84c7a6b4bd943556fd2369cd --format sha256 --secret 19
Type: sha256
Secret length: 19
New signature: 3ac04e9e4a435072edf4961702a6eddb9cf52a3387019006119d05af98a17ebc
New string: 66726f6d3d506574657226616d6f756e743d3230800000000000000000000000000000000000000000000001382666726f6d3d41646d696e26616d6f756e743d31303030303030
and by submitting these values with the proper encoding, we get the flag.
Transaction Confirmed!
Congrats! Heres your flag!
WH2021{$m00000n3y_g0_Burrrrrrrrrrrrrrr}
Flag:
WH2021{$m00000n3y_g0_Burrrrrrrrrrrrrrr}