Gokul Krishna P
WEB, TOKYOWESTERS, PHP, AV ORACLE ATTACK, WINDOWS DEFENDER

PHPNote - Abusing JavaScript interpreter in Windows defender

This challenge had the functionality of a login which had 3 parameters, First name, Last name and nickname. Logging in with any parameter values gets you to the panel with an option to post whatever content you want.

So while doing a basic recon with my teammate Kanak, we had the following things in our hand: 1) The application was built using PHP 7+ with an IIS web server. 2) Cookie was serialized and had a key, isadmin.

So from 1, we were arguing about abusing Windows defender, the latest research from Icchy because PHP+IIS doesn’t look nice at all. And 2 made it straightforward that we have to get the IsAdmin to 1.

From the source, it was evident that we had to get admin cookie signed and call getflag.

So now, breaking down into parts, from the research work and blog posted by TokyoWesterns, we had to get the hmac’s secret key to sign the admin cookie which was stored in the session.

Now, it was time to trigger the bug and for that, we were not sure exactly how to understand that. While trying with an example already provided in TokyoWesterns blog on EICAR, we were not able to login to the application and this was because our session file was deleted by the windows defender thus preventing us from logging in.

The next question was, how do we turn that into an oracle to start leaking the session? We had to leak the session of a given nickname as secret would be constant for a given nickname and with that secret, we can sign with hmac.