Posted on by and filed under Hack.LU 2014.

hacklu2014-plainsight

For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash:

At first glance, this is random and there is no chance we are going to guess it. But on closer inspection, the 3rd line has something strange about the E used in the variable name. Further examination shows that it’s the Greek letter Epsilon, Unicode U+0395. This means that there is no randomization affecting the HMAC_SECRET and it remains the same. Using Node JS which this challenge was written in, we duplicate the hmac_sign function with the testuser to get the flag.txt file. This gives us the string and full URL:

https://wildwildweb.fluxfingers.net:1409/files/testuser/flag.txt/4a332c7f27909f85a529393cea72301393f84cf5908aa2538137776f78624db4

The text file as expected contains our flag: