Recently Updated
Custom Authentication
Challenge I just learned about encryption and tried to write my own authentication system. Can you get in? Here is the source! And here is the site.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
var http = require('http');
var express = require('express');
var path = require('path');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var crypto = require('crypto');
var secrets = require('./secrets');
var app = express();
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
console.log("Starting server...");
var encrypt = function(data) {
var cipher = crypto.createCipheriv('aes-192-cbc', secrets.key, secrets.iv);
cipher.setAutoPadding(true);
var ctxt = cipher.update(data, 'ascii', 'hex');
ctxt += cipher.final('hex');
return ctxt;
};
var decrypt = function(data) {
var decipher = crypto.createDecipheriv('aes-192-cbc', secrets.key, secrets.iv);
decipher.setAutoPadding(true);
var ptxt = decipher.update(data, 'hex', 'ascii');
ptxt += decipher.final('ascii');
return ptxt;
};
app.get('/', function(req, res) {
if(req.cookies.auth) {
var auth = decrypt(req.cookies.auth).replace(/[^0-9a-zA-Z{}":, ]+/g, '');
auth = JSON.parse(auth);
res.render('index', {auth: auth, flag: secrets.flag});
}
else {
res.render('index', {auth: false, flag: secrets.flag});
}
});
app.post('/logout', function(req, res) {
res.append('Set-Cookie', 'auth=; Path=/; HttpOnly');
res.redirect('/');
});
app.post('/login', function(req, res) {
if(req.body.username && req.body.password) {
var admin = "false";
if(req.body.username===secrets.username && req.body.password===secrets.password)
admin = "true";
var auth = {username: req.body.username, password: req.body.password, admin: admin};
auth = encrypt(JSON.stringify(auth));
res.append('Set-Cookie', 'auth='+auth+'; Path=/; HttpOnly');
res.redirect('/');
}
});
// catch 404
app.use(function(req, res, next) {
var err = new Error('Not Found');
err.status = 404;
next(err);
});
// error handler
app.use(function(err, req, res, next) {
console.log(err);
res.status(err.status || 500);
res.render('error', {
status: err.status
});
});
var server = http.createServer(app).listen(3001, function(){
console.log("HTTP server listening on port 3001!");
});
Solution
I ran it locally which indicated missing ejs. I hoped they did not sanitize their inputs so I tried using usernames like <%= flag %> but they sanitized these heavily.
Next I spent a fair amount of time inspecting the encryption and decryption to see if I could get around solving it It is easy to feed the function bad data, so it parses extra variables into the data structure. Unfortunately admin: true is always at the end and cannot be overwritten.
Flag