Klumpet? Dumped it

This is the place for ALL of the user submitted challenges. If you create a little challenge/mission/riddle/whatever, post it here.
Forum rules
Do not post missions that you did NOT create without proper citing.

Klumpet? Dumped it

Post by Turn on Wed May 20, 2015 10:33 am
([msg=88127]see Klumpet? Dumped it[/msg])

Klumpet, is an upcoming business that wishes to handles transactions in secure and efficient manners. Think of Klumpet as the new PayPal! However, Klumpet is a very new business, and have tidy deadlines to conform to. Because of this, security has not been at the top of their list. Recently the database suffered a breach via transaction handling script. This allowed the malicious hacker to perform SQLi attacks and in turn dump the contents of anything in the database. Klumpet has decided to take action and patch their script. In addition to this, they decided to implement more security with their hashed passwords in the user table. Originally Klumpet debated on whether or not to use salts to increase their security, however they decided that it was not as great because they had to store the salt with the hashed password. They decided to do something new.

Code: Select all
<?php
$user = $_POST['user'];
$pass = $_POST['password'];
$email = $_POST['email'];

$client = new mysqli('localhost', 'dbGuest', 'tempPa$$', 'usersDB');
if ($client->connect_error) {
  die('Connection Failed: ' . $client->connect_error);
}


$subs = array( '0' => 'b', '1' => '5', '2' => '7',
              '3' => '2', '4' => 'c', '5' => '4',
              '6' => '0', '7' => 'e', '8' => '1',
              '9' => '8', 'a' => 'a', 'b' => '6',
              'c' => 'f', 'd' => '9', 'e' => 'd',
              'f' => '3'
            );

$hashed_pword = md5($pass);

$hashed_chars = str_split($hashed_pword);

$hashed_subed = '';

foreach($hashed_chars as $h_c) {
  $hashed_subed .= $subs[$h_c];
}

$query = <<<SQL
  INSERT INTO `users` (username, password, email)
    VALUES ('$user', '$hashed_subed', '$email');
SQL;

if($client->query($query) == TRUE) {
    echo 'Account added.';
}
else {
  echo 'Error Encountered: ' . $client->error;
}
$client->close();
?>


Your job is to explain to the Klumpet developers why this code does not help password integrity in the occurrence of another breach.
Last edited by Turn on Wed May 20, 2015 11:56 pm, edited 1 time in total.
Social Engineering:
<cen> .lua print ('Tsyn 9.47.-u 3 12 5')
* slickery has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
* cen has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
User avatar
Turn
Poster
Poster
 
Posts: 120
Joined: Tue Feb 17, 2015 5:42 am
Blog: View Blog (0)


Re: Klumpet? Dumped it

Post by Randoph on Wed May 20, 2015 12:41 pm
([msg=88129]see Re: Klumpet? Dumped it[/msg])

Well I have no idea how to post the answer so I'm gonna do it like this

Code: Select all
Spoilers below













I'm assuming MD5 is not safe because it is so fast that even with a single GPU you can try billions of passwords a second. I have no idea if this is why it is not secure, but wanted to give it a shot anyway.

This may be the time to ask the staff for spoiler BBcode?
A little rebellion now and then ... is a medicine necessary for the sound health of government.
-Thomas Jefferson
User avatar
Randoph
Poster
Poster
 
Posts: 127
Joined: Fri Aug 08, 2014 2:48 pm
Blog: View Blog (0)


Re: Klumpet? Dumped it

Post by Turn on Wed May 20, 2015 5:16 pm
([msg=88132]see Re: Klumpet? Dumped it[/msg])

Good try, however that was not the answer I was looking for. Take a look at the code again. I'm more curious of an answer explaining why what has been done is no better than the use of regular MD5.
Social Engineering:
<cen> .lua print ('Tsyn 9.47.-u 3 12 5')
* slickery has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
* cen has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
User avatar
Turn
Poster
Poster
 
Posts: 120
Joined: Tue Feb 17, 2015 5:42 am
Blog: View Blog (0)


Re: Klumpet? Dumped it

Post by Goatboy on Wed May 20, 2015 9:26 pm
([msg=88134]see Re: Klumpet? Dumped it[/msg])

You mean aside from the fact that $plain_text_pword doesn't seem to be assigned anywhere?
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2864
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Klumpet? Dumped it

Post by Turn on Wed May 20, 2015 11:57 pm
([msg=88136]see Re: Klumpet? Dumped it[/msg])

Goatboy wrote:You mean aside from the fact that $plain_text_pword doesn't seem to be assigned anywhere?


Damn, I messed up. That was supposed to be assigned as $pass. The code is updated, thanks.
Social Engineering:
<cen> .lua print ('Tsyn 9.47.-u 3 12 5')
* slickery has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
* cen has quit (User has been banned from HackThisSite (Attempting to use a SpyBot))
User avatar
Turn
Poster
Poster
 
Posts: 120
Joined: Tue Feb 17, 2015 5:42 am
Blog: View Blog (0)


Re: Klumpet? Dumped it

Post by -Ninjex- on Thu Oct 01, 2015 9:07 am
([msg=89932]see Re: Klumpet? Dumped it[/msg])

This is a simple substitution cipher. You hash the password, and then run it through a substitution cipher. Given that, if an attacker found an SQLi vulnerability, they could create false account with password samples, convert them to md5, and use this to help break the substitution cipher. After the substitution cipher is broken, the information in the database can be converted to plain text and stolen like normal, thus making it security through obscurity (which we know is insecure)
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)



Return to User Submitted

Who is online

Users browsing this forum: No registered users and 0 guests