1

I am trying to solve a challenge, and I suspect it has to do with PHP juggling, because I get this base64 encoded json cooke as a response {"User":"foo","MAC":"bar"}

BUG #2

The calculated MAC (i.e. the result of hash_hmac()) is a string containing hexadecimal characters

The use of a loose comparison means that if an integer was provided in the JSON payload, the HMAC string will be juggled to a number

I think that with a MAC, for instance "ff6d0...5885d", the PHP juggling will be compared to int(6) since it is the first numerical. My idea wat to POST with the base64 encoded json: {"User":"Admin","MAC":6}

But this didn't work... does the juggling only work with MAC's that start with a numerical?

Ludisposed
  • 848
  • 1
  • 8
  • 21
  • 1
    What have you tried to solve this? Did you read the [PHP documentation](http://php.net/language.operators.comparison)? Did you try to convert different strings to numbers using PHP and inspected the result? – Josef Jan 19 '18 at 11:58
  • Do you know what the HMAC should be? Is it in fact `ff6d0...5885d`? Not all values are equally easy to juggle, so it is important what the value is and if you can get the server to use different ones unil you get one that is easy to juggle. – Anders Jan 19 '18 at 12:13
  • @Anders I cannot get the server to give a different one, as it is always the same – Ludisposed Jan 19 '18 at 12:14
  • You can not change any input to get a different one? Do you know what it is? – Anders Jan 19 '18 at 12:15
  • Could you add a link to the actual challange? – Anders Jan 19 '18 at 12:24
  • @Anders it's https://www.hackthebox.eu/home/challenges/Web the name is 'Grammar'. – Philippe Delteil Oct 22 '18 at 01:29
  • 1
    @Ludisposed this question actually helped me solve the challenge. – Philippe Delteil Oct 22 '18 at 01:29

1 Answers1

5

The algorithm PHP uses for coercing strings to integers is documented here. In particular:

The value is given by the initial portion of the string. If the string starts with valid numeric data, this will be the value used. Otherwise, the value will be 0 (zero).

Your supposition was that:

I think that with a MAC, for instance "ff6d0...5885d", the PHP juggling will be compared to int(6) since it is the first numerical

But the 6 does not appear at the beginning of that string, it appears only after the non-numeric sequence ff. So the value will be coerced to int(0).

If, however, we have a different hash, say "6ffd0...5885d", the 6 appears at the beginning of the string, so that string would be coerced to int(6).

As you surmised, this coercion can happen during comparison in certain circumstances, as described in the notes on comparison operators in the manual.

IMSoP
  • 3,780
  • 1
  • 15
  • 19