Post

vault-door-training [ Darija πŸ‡²πŸ‡¦ ]

Posted
Preview Image
By 2 min read

Lcode lli drt hwa wa7d limplementation dyal wa7d lprogram b Java lli kaycheck password l iuser, bach idir β€œaccess granted” ila password s7i7a.

Hada l program mkatmchi password f source code w hadchi kaykhdm bach tchouf ila user dakhal password s7i7a.

Walkthrough :

1. User Input :

L program kaytleb men user yedkhel password Password khas ykoun f lformat : picoCTF{password}.

Extracting Password :

L program kay7yid picoCTF{ mn l 9dam w } mn l akhr dial input w khassu ykhli password s7i7i.

Password Check :

L program kayqarn password l iuser dkhalha m3 wa7da mokhtabiya f source code lli hya β€œw4rm1ng_Up_w1tH_jAv4_3808d338b46”.

Result :

Ila dakhal user password s7i7a, y9oul l program β€œAccess granted”. Ila la, y9oul β€œAccess denied!”.

Potential Issues :

L password mkatmiya f source code hna lproblem dial security hadi 7it ila chi 7ad akhadh l source code yqder ykoun 3la 3ilm b password. Wa7d l ihtiyatiya qder ta3mlha hya encrypti l password wla tist3ml hashing techniques bach t7sen l security.

Test :

Ila bghiti ttesti l program dakhal picoCTF{w4rm1ng_Up_w1tH_jAv4_3808d338b46} f prompt bash tchouf ach ghadi ykhdm.

2024-09-02_14-49

Kayn bzzaf dyal tori9 bach tmodifi l’program wla tkhaddam chi technique bach tsayb wla tkhallath b chi 7aja

examples :

Changement dyal password storage :

T9der tghattay l password lli mkhbay f source code bach matbanach directly Example: t7awal tpartajiha 3la bytes mn b3d tjoinhom bach t9arnha m3 l input.

1
2
3
4

public boolean checkPassword(String password) {
    char[] pass = { 'w', '4', 'r', 'm', '1', 'n', 'g', '_', 'U', 'p', '_', 'w', '1', 't', 'H', '_', 'j', 'A', 'v', '4', '_', '3', '8', '0', '8', 'd', '3', '3', '8', 'b', '4', '6' };
    return password.equals(new String(pass));
}

Encoding :

T9der tktb password f encoded format b7al Base64 o mn b3d tdecodeha bash tchouf ila s7i7a.

1
2
3
4
5
6
7
8

import java.util.Base64;

public boolean checkPassword(String password) {
    String encodedPass = "dzRybTFuZ19VcF93MXRIX2pBdjRfMzgwOGQzMzhiNDY=";
    byte[] decodedBytes = Base64.getDecoder().decode(encodedPass);
    String decodedPass = new String(decodedBytes);
    return password.equals(decodedPass);
}

2. Adding a Fake Password :

Distracting attackers :

T9der tzd l password mokhtalfa bash la7d mn akhadh l source code ythayeb y3ni y7ssb ra dkhal password s7i7a wma kanch.

Example :

1
2
3
4
5
6
7
8

public boolean checkPassword(String password) {
    String fakePassword = "fakePassword";
    if (password.equals(fakePassword)) {
        System.out.println("Access denied! (Fake)");
        return false;
    }
    return password.equals("w4rm1ng_Up_w1tH_jAv4_3808d338b46");
}

3. Change the Access Logic :

Reversing the condition: Ila bghiti tdrab chi wahd l3moq t9der tkhrba9 l logic b7al t9ul password li mahya s7i7a hiya lli t3tih access.

Example :

1
2
3

public boolean checkPassword(String password) {
    return !password.equals("w4rm1ng_Up_w1tH_jAv4_3808d338b46");
}

Hadi t9der tfidk fi chi context lli bghiti t7ammi code mn attackers.

4. Multiple Passwords :

Dynamic or Multiple Passwords: T9der tkhdam 3la l program lli ykhdam m3 passwords mokhtalfa wla tbda password m3 kol session wla dayman.

1
2
3
4

public boolean checkPassword(String password) {
    List<String> validPasswords = Arrays.asList("w4rm1ng_Up_w1tH_jAv4_3808d338b46", "an0ther_Val1d_Pass");
    return validPasswords.contains(password);
}
vault-door-training πŸ‡²πŸ‡¦
VaultDoorTraining.java PicoCtf Darija
This post is licensed under CC BY 4.0 by the author.