Posted on by and filed under Hack.LU 2014.


For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash:

var HMAC_SECRET = ''
for (var i=0; i<20; i++) {
    HMAC_SΕCRET = HMAC_SECRET + (Math.random()+'').substr(2)
function hmac_sign(path) {
    var hmac = crypto.createHmac('sha256', HMAC_SECRET)
    return hmac.digest('hex')

At first glance, this is random and there is no chance we are going to guess it. But on closer inspection, the 3rd line has something strange about the E used in the variable name. Further examination shows that it’s the Greek letter Epsilon, Unicode U+0395. This means that there is no randomization affecting the HMAC_SECRET and it remains the same. Using Node JS which this challenge was written in, we duplicate the hmac_sign function with the testuser to get the flag.txt file. This gives us the string and full URL:


The text file as expected contains our flag: