Hackthebox Grammar is based on the MAC [Message Authentication Code] and how PHP handles the MAC strings also called as typejuggling.
PHP tries to evaluate the MAC based on the starting strings, if it is valid numeric then it is used otherwise the value will be 0.
https://www.php.net/manual/en/language.types.type-juggling.php
https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf

Let’s get to the walkthrough:

Once you run the instance you will see only “403 Forbidden” error.


So I thought maybe I can run Dirb to check if there are any pages that are not forbidden.

I ran Dirb with different wordlists but I found nothing.

So I opened BurpSuite and checked the headers to check what information is passing.

Its a normal GET request. The Cookie here doesn’t gave much information. I have been stuck at it for a while.

I tried to change a lot of things before trying to make the request as POST and tried access /index.php page.

Once you make that request it will show you the following outcome:

It says “not an admin(yet)”. With that little comment hint,I do not feel the field “fuckhtml” helps.

But there was the session token in the header which seems interesting and since it has %3D%3D at the end, I knew its base64.

Next thing is to decode it.

Once you decode it, you will find the {“User”:”whocares”,”Admin”:”False”,”MAC”:”ff6d0a568d61e5a03bcdb04509d5885d”fQ%3D%3D

So, as a Human, I went straight and changed the value for Admin as True. I thought this will get me the flag but no!

In this level the real hindrance is the MAC value. I searched a lot about it and tried many integers as well as string but “0” will do the job!

 

I created the above session and encoded it to base64 to pass it with the header.

At the end, I found out that this level is based on PHP type juggling and well its a new learning!

Find my hackthebox Iknowmag1k walkthrough here : http://www.anonhack.in/2019/10/hackthebox-iknowmag1k-walkthrough/

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: