Thank God It’s Weekend! Let’s go shopping!

Source: https://drive.google.com/file/d/167se6uAZ48Bt5k34m37LOK1tD2wt3Tsb/view?usp=sharing

nc 13.251.110.215 10001

Let’s connect to the server and see what’s going on before we move on to the source code.

It welcomes us with a shop interface where we can buy phones and flag is just one of the phones, actually the most expensive one. Using the second option, we create an order and we use that order to pay. The order contains information of phone name, its price, timestamp, and a sign. In order to be able to modify the order, we must generate a valid sign. Let’s check the source code to see how the sign is created.

First, it gives us a random amount of money between 1000000 and 5000000, which is always less than the flag’s price. Then, it creates a random signkey which is consist of lowercase letters and digits, whose length is decided randomly and between 8 and 32. While creating orders, it first creates the part before &sign= and calculates the sha256 hash of that part after prepending the signkey to it. Therefore, signkey is just a salt which is prepended while using sha256. We’d like to remove the sign from the order for the flag and append &price=1, because it reads the order from left to right and when it sees price as a key, it updates the price variable’s value with the corresponding key’s value. Therefore, we can overwrite the price by appending &price=1. However, we still need to append a valid sign and for that purpose we will use length extension attack. Since the connection times out quickly and we don’t know the signkey’s length precisely, we need to create a script to speed things up. So that, we can brute force the key length.

Here is my python script for this task:

Still, it can timeout before we find out the correct key length. If that happens, just try again.

Let’s run the script and get the flag.

Here is the flag matesctf{e4sy_3xt3nti0n_4tt4cK_x0x0}.