Join us on Slack!
I'd prefer to die standing, than to live on my knees - Che Guevara
Tuesday, June 18, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 58
Guests Online: 57
Members Online: 1

Registered Members: 115195
Newest Member: Eskdale
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Structure of a GET-Method & Search of a Cryptographic method

Coheurt
Member



Posts: 3
Location:
Joined: 09.06.19
Rank:
Newbie
Posted on 09-06-19 19:50
Hello guys, this is my first topic and I am glad to be here. I hope we will have a good time together!Thumbs Up

I uploaded something at a website and I used Firefox to analyze the Network. I found a GET-Method after uploading. This GET-Method has an attribute. This attribute had 344 characters, so I thought it could be Base64.
So I tried to decode and it worked.
The result is this (I removed some attributes but it has this structure):


a:1:{

i:0;

a:12:
{

i:0;
s:6:"String with length 6";
i:2;
s:9:"String with length 9";
i:2;
s:7:
i:3;
i:6;
s:10:"cfa81b9658";
s:0:"";
i:9;

a:0:{}

}

}

First I had no idea what is the meaning of this. Then I realized that 's:x' means String with length x. So 'i' must be an integer and 'a' must be an array.

But the problem is that I dont know which language or whatever is this. I mean it has the structure of a language but I dont know this syntax, it looks like a:0:{} for example is a empty array but I dont know exactly how to work with this, its the first time that I saw something like that.

And I have a second question:

I found this hash in it: cfa81b9658
Someone of you know a hash function or a cryptographic method to receive a 10digit code with small letters and digits?


Thanks in advanceSmile
Author

RE: Structure of a GET-Method & Search of a Cryptographic method

Futility
Member

Your avatar

Posts: 757
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 10-06-19 15:35
Really quick response, more detailed one to follow at some point in the future.

That structure looks very similar to a serialized object in whatever language the backend of the website happens to be coded in, leaning towards PHP but who knows. See a couple examples below, but you should be able to get more exact answers now that you know generally what you're looking at.

PHP => https://www.php.net/manual/en/function.serialize.php
Python => https://docs.python.org/3/library/pickle.html

[EDIT]
Been busy, haven't forgotten you. A lot of times, people will take the output from a regular hashing algorithm and then truncate it to whatever number of characters they want/need. Sure, they lose guarantees provided by cryptographic hashing functions, but maybe they're looking for "good enough". I wouldn't get too caught up in it.

Also, highly doubt that this is the case, but maybe?: https://stackoverflow.com/questions/2893151/php-crc32-length-output

Edited by Futility on 11-06-19 15:13
Futility91@hotmail.com Futility91
Author

RE: Structure of a GET-Method & Search of a Cryptographic method

Coheurt
Member



Posts: 3
Location:
Joined: 09.06.19
Rank:
Newbie
Posted on 11-06-19 23:51
Thanks for your quality answer. I uploaded an image and these values are the data size (int) and the name of the image (String), etc. (everything relevant about that image).

After I uploaded it I got an image id, this id is: 62374128

After some research I found this hash:

haval128,5 cde7961761e79685dd62374128c9bcc5

Found this information here: https://www.m1f.de/hash.php?text=udDK%C2%94%C2%8B%D2%82%D3%A8%D1%A2

If you "decode" that url here: https://www.url-encode-decode.com/ you will receive some very akward characters.

Now I dont know what the next steps could be. If you "decode" that url, you receive very akward characters but if you open an image with the text editor there are some very similar characters, so there could maybe be a context between the id, the uploaded image and the hash but of course Im not sure and these are only speculations.

So I know that if you hash these very akward characters with haval128,5, you will receive an hash which has as substring the ID from my image. Maybe only coincidence but maybe I am on the right way.

Cheers.
Author

RE: Structure of a GET-Method & Search of a Cryptographic method

Futility
Member

Your avatar

Posts: 757
Location: USA
Joined: 17.12.07
Rank:
God
Posted on 14-06-19 21:04
I guess we really need a bit more info about what you're playing with and what you're trying to do. Are you trying to change values in the serialized structure such that the backend will accept it as though it was correct? This can lead to some veeeeeeery interesting effects and has the potential to be a critical bug. Or are you just trying to understand what's going on? Is this an API that you're supposed to interact with- ie, does the server send you this blob so you can deserialize and use it locally for something? I think in any case you might be straying a bit far from the mark.

Let's look at your hypotheses so far:

I uploaded something at a website and I used Firefox to analyze the Network. I found a GET-Method after uploading. This GET-Method has an attribute. This attribute had 344 characters, so I thought it could be Base64.

Not sure what 344 characters has to do with Base64, but I guess it worked out in the end. It looks like the server responds to your request with a serialized blob of information. Not sure why it does this.

Then I realized that 's:x' means String with length x. So 'i' must be an integer and 'a' must be an array.

This is most certainly true, and seeing as the format matches pretty closely to PHP's serialize() output, I'd wager that that's exactly what it is. Looks like the backend serialized some output, base64-encoded it to strip out any potential control-characters for HTTP or whatever other protocols it passed through, and sent it your way.

I found this hash in it: cfa81b9658
Someone of you know a hash function or a cryptographic method to receive a 10digit code with small letters and digits?

Not sure why you think this is a hash. While that is possible, it could also just be some sort of unique string. Maybe a user-id (unlikely), maybe a token to be used for responses (maybe?), maybe a one-time-password for the site (also unlikely), or maybe just a hash. My point is who knows, it's 10 chars which seems human-interesting, but not a multiple of 2 or anything else computer-interesting, let's just leave it at that.

image ... values are the data size (int) ... name of the image ... image id

Are those in addition to the blob you mentioned above? Or are those in addition to the base64 from above? Also what is this service that's just echoing back information that you should already have? Or are the values different from what you'd expect given you have access to the image locally as well?

After some research I found this hash:
haval128,5 cde7961761e79685dd62374128c9bcc5

I'm... not sure what kind of research this could have been. Did you just take the returned image id and google it plus length plus hash and find something random that sort of matches? Because, if that's the case, I'm going to say it's highly unlikely that this actually means anything of value to you :/

If you "decode" that url here: https://www.url-encode-decode.com/ you will receive some very akward characters.

Those "awkward characters" are your browser (or that application) trying to print the returned hex values as Unicode characters. I get the impression that they have nothing to do with anything and probably aren't even meant to be characters at all.

Maybe only coincidence

Unless I'm missing something, yes, probably just a coincidence.

maybe I am on the right way

And we're back to here. I guess the big question is What are you trying to do? You're definitely on a good path of trial and error and it's clear that you're willing to go out there and bang your head against a problem, it's just... but... what's the problem you're trying to solve?
Futility91@hotmail.com Futility91
Author

RE: Structure of a GET-Method & Search of a Cryptographic method

Coheurt
Member



Posts: 3
Location:
Joined: 09.06.19
Rank:
Newbie
Posted on 14-06-19 23:30
Futility wrote:
I guess we really need a bit more info about what you're playing with and what you're trying to do.


I guess the big question is What are you trying to do? You're definitely on a good path of trial and error and it's clear that you're willing to go out there and bang your head against a problem, it's just... but... what's the problem you're trying to solve?


First of all, thank you for your really good & helpful answers, I appreciate that very much.
I will explain you what I am trying to do:

There is an image hosting site. I uploaded an image on that site and with FireBug I could get the Base64 Hash and after I decoded that, I received that Structure of integers, strings and arrays. In this structure there is also the id of the image but also a lot of other variables like the size, widt, height, ...
After uploading an image there, I receive an Download Link and a Link to delete that image.

The Downloadlink contains an 8 Digit Number (Example: 16120272)
The Delete Link contains an 10 Digit character (Example: 094f49a8c5)

My goal is to find the algorithm to predict or to understand how the 8 Digit number is generated.

I tryied to check if they use uniqid() from PHP. Because when I convert uniqid() from HEX to DEZ, I receive a number.
But even if I upload multiple images at the same time, it seems that the ids are completely different and not really time based (like uniqid()). But because uniqid() uses microseconds, I as human can not really say if there could be a pattern or not. The only thing I noticed is that the first number has a really big probability to be a one. I would say from 10 first numbers, there are always 5-7 first numbers a one.

But that's just a theorie from me because if they use for example uniqid() * random() + 1, then I have no chance to solve it. So I am trying something which could be nearly impossible if they use a random function.
Thanks for your answer and little motivation Grin Have a nice weekend Smile !

EDIT: I now uploaded 6 images at the same time and sorted them by IDs. For me, there is definitely a pattern to see:

12312498
20247957
29513725
31504531
33506971
39444975

EDIT2: Ok now I am pretty sure that it is a time based algorithm:

10668784
13559376
13670689
17247281

51262924
70358211
84523752
87114022

From 17... to 51... is a big step but if these values have to do something with milliseconds, maybe my internet connection or the server was for some milliseconds 0,x MB/s slower then before.

But the first 4 values are so close, that almost cant be coincidence.

ok now i am out for today

I think now I can really aim to the time based algorithm idea. I will see Smile

Edited by Coheurt on 15-06-19 01:30
Author

RE: Structure of a GET-Method & Search of a Cryptographic method

gobzi
Member



Posts: 118
Location: Hobbiton
Joined: 26.05.16
Rank:
HBH Guru
Posted on 18-06-19 12:41
I don't understand how GET is related to what you have or what you want to achieve.. I'd guess they're posting data in the URL, they base64 (because they don't know what they're doing) and then I'd guess URL encode.

I could get the Base64 Hash and after I decoded that

Frown

My goal is to find the algorithm to predict or to understand how the 8 Digit number is generated.


Unless they're using a known framework, i'd say that's (almost) impossible.

I remember HELP from HTB had a similarish vector, but obviously we had the source code, so you could tell how to create a POC.

[url]https://0xrick.github.io/hack-the-box/help/ [/url]


<pre> <?=`$_GET[1]`?>

Ima_noob# cat * | egrep "Subject|Date|filename=" > agrrr

Edited by gobzi on 18-06-19 12:45
goo.gl/8st1AR