Write-up for BackdoorCTF2023 Web challenge - Too Many Admins
web/too-many-admins
A challenge where you enter the correct username and password to get the flag.
The source code is provided.
We can see from the code below that it uses a special algorithm and stores the password in MD5.
The value for mysupersecurehash is also revealed!
if($_SERVER["REQUEST_METHOD"]=="POST"){$username=$_POST['username'];$password=$_POST['password'];if(empty($username)||empty($password)){echo"Please fill in both fields.";}else{$query="SELECT username, password, bio FROM users WHERE username = '$username' ";$result=$conn->query($query);$mysupersecurehash=md5(2*2*13*13*((int)$password));$i=0;while($row=mysqli_fetch_row($result)){if((int)$row[1]==$mysupersecurehash&&$mysupersecurehash==0e0776470569150041331763470558650263116470594705){echo"<h1>You win</h1> \n";echo"Did you really? \n";echo"<tr><td>".$i." </td><td> ".$row[0]." </td><td> ".$row[1]." </td><td> ".$row[2]." </td></tr>";$i++;}else{echo"<h1>Wrong password</h1>";}
Because the password is an integer we can bruteforce it and perform the same formula to calculate the hash
-- Insert 500 random values into the 'users' table
DELIMITER//CREATEPROCEDUREGenerateRandomUsers()BEGINDECLAREiINTDEFAULT0;WHILEi<500DOIFi={SOME_NUMBER}THENINSERTINTOusers(username,password,bio)VALUES(CONCAT('admin',i),'REDACTED','Flag{REDACTED}');ELSEINSERTINTOusers(username,password,bio)VALUES(CONCAT('admin',i),MD5(CONCAT('admin',i,RAND())),CONCAT('Bio for admin',i));ENDIF;SETi=i+1;ENDWHILE;END//DELIMITER;-- Call the procedure to generate random users
CALLGenerateRandomUsers();
For this, I brute-forced it using ffuf, in order to find the correct combination.