How I hacked my first Twitter web challenge π
It was Saturday morning when I checked Twitter on my phone and saw the following tweet.
I was immediately curious to see what this challenge would look like and read through the code and the rules on my phone. I was hooked and wanted to solve it. See the following copy of the code and the rules in case the challenge is no longer available in the future.
When I read through the rules, I knew there had to be a bug in the code that could be exploited.
I jumped to my laptop and set up a local test environment. Unfortunately, I was too lazy and didnβt set up a proper Apache (Iβll explain why this is unfortunate later). I just ran the script with the following command php -S localhost:8080 index.php
and added some debug messages.
After reading the PHP documentation on session management and playing around with my local setup, I found that I can make session_start()
fail.
Regarding this I found the following statement:
Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range
a-z A-Z 0-9 , (comma) and - (minus)
!
See what happens when I run the following command π
The stop()
logging means session_write_close()
has been called, so there should be a valid session with the PHPSESSID=5c86rlp5vt7f7cm3lttdqajqr3
and {"authenticated": true}
.
Letβs try it π¨βπ»
So I was able to manipulate the session. But it still seemed difficult to set all three required session variables correctly π€.
After playing around on my local system for a while, I tried running my command on the challenge server.
Damnβ¦ there is a difference! π€― On my local setup, I only got one PHP session ID. On the challenge server, there are several!
Always try to replicate the target configuration as closely as possible!
β Note to myself
Ok, from then on the way was clear. I had to find the right session ID to override $_SESSION['user']
.
Comparing the output of my local setup (see above) with the output of the challenge server, I knew it had to be the first or second session ID.
I tried the first one and boomβ¦It worked! π₯
Thanks @Blaklis_ for creating this great web challenge! It was a plesure to solve it.