Rating: 4.0
We got a PHP app. By looking at the code (specifically the long entropy and the use of Bcrypt, I knew the solution right away.
We can see that the password is hashed using bcrypt and is generated by the combination of username, entropy and password.
A few months ago, I read an article about a potential issue with bcrypt, which was discovered in Okta (but of course relevant to other applications too).
https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-97-bcrypt-hash-input-truncation-mobile-device-threat-modeling
Bcrypt only uses the first 72 characters for the hash.
As we said, the hash is derived from the username, entropy and password.
$hash = password_hash($usernameAdmin . $entropy . $passwordAdmin, PASSWORD_BCRYPT);
The username is Admin which is 5 chars and the entropy length is 66 chars. Both of them are 71 chars long. The 72nd character, is the first character of the password, which means it ignores all the rest of the password. So we only need to guess the first character of the password.
