daffainfo
/
ctf-writeup
mirror of https://github.com/daffainfo/ctf-writeup.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ctf-writeup/RITSEC CTF 2023/Guess the Password
History
daffainfo 9325852d3a feat: added TSG CTF 2023 2023-11-05 15:59:14 +07:00
..
images feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00
README.md feat: added TSG CTF 2023 2023-11-05 15:59:14 +07:00
encoding.py feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00
server.py feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00
supersecret.json feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00

README.md

Guess the Password?

We found a VIP's box, but when we try to guess his short password, we get rate limited! We managed to get the source code and it looks like the server implements its security in a way that isn't secure! Can you reverse the python code and get the flag?

About the Challenge

We were given a server to connect and there are 3 files:

  • encoding.py (You can download the file here)
  • server.py (You can download the file here)
  • supersecret.json (You can download the file here)

So, we need to the passcode to obtain the flag

preview

If we check in the server.py there is a function called chatter() and here is the code

client_socket.send( "Enter the passcode to access the secret: \n".encode() )
user_input = client_socket.recv(1024).decode() [:8]

if len(user_input) == 8 and self.encoder.check_input(user_input):
    secret = self.encoder.flag_from_pwd(user_input)
    response = f"RS{ {secret} }\n"

else:
    response = "That password isn't right!\n\tHint: The last 8 digits of your phone number\n"

We need to input a passcode that have 8 characters and then if we check check_input() and hash() function in encoding.py file

def hash(self, user_input):
    salt = "RITSEC_Salt"
    return hashlib.sha256(salt.encode() + user_input.encode()).hexdigest()

def check_input(self, user_input):
    hashed_user_input = self.hash(user_input)
    # print("{0} vs {1}".format(hashed_user_input, self.hashed_key))
    return hashed_user_input == self.hashed_key

The SHA256 hash of the salt plus our input must match 657fa7558ae9011e8b9d3f56d5c083273557c3139f27d7b62cac458eb1a1a19d (You can check this in supersecret.json file).

How to Solve?

So, I've created a python script like this

import hashlib
import itertools

salt = "RITSEC_Salt"
target_hash = "657fa7558ae9011e8b9d3f56d5c083273557c3139f27d7b62cac458eb1a1a19d"
alphabet = '1234567890'

for combination in itertools.product(alphabet, repeat=8):
    test = bytes(''.join(combination), 'utf-8')
    sha = hashlib.sha256(salt.encode() + test).hexdigest()

    if sha == target_hash:
        print(f"Found: {test}")
        break

The code will bruteforce the passcode and hash each combination with the salt and then check if the sha variables match with the target_hash

Found: b'54744973'

And then enter the passcode in the challenge server to obtain the flag

flag

RS{'PyCr@ckd'}