CTF Challenge Write-Up: PW Crack for picoCTF
Written on
Hello everyone,
This Capture The Flag (CTF) challenge is quite simple and can be resolved with basic programming skills. Let's jump right into it!
Challenge Overview
Hints
- Utilizing a for loop can speed up your operations significantly.
- You won't need to reverse-engineer the str_xor function for this challenge.
Solution
Following the hints, we can bypass the str_xor function. Here's the code that has been provided:
flag_enc = open('level4.flag.txt.enc', 'rb').read() correct_pw_hash = open('level4.hash.bin', 'rb').read()
def hash_pw(pw_str):
pw_bytes = bytearray()
pw_bytes.extend(pw_str.encode())
m = hashlib.md5()
m.update(pw_bytes)
return m.digest()
def level_4_pw_check():
user_pw = input("Please enter correct password for flag: ")
user_pw_hash = hash_pw(user_pw)
if user_pw_hash == correct_pw_hash:
print("Welcome back... your flag, user:")
decryption = str_xor(flag_enc.decode(), user_pw)
print(decryption)
return
print("That password is incorrect")
level_4_pw_check()
# The following strings are 100 potential passwords. # Only one is correct. pos_pw_list = ["8c86", "7692", "a519", "3e61", "7dd6", "8919", "aaea", "f34b", "d9a2",
"39f7", "626b", "dc78", "2a98", "7a85", "cd15", "80fa", "8571", "2f8a",
"2ca6", "7e6b", "9c52", "7423", "a42c", "7da0", "95ab", "7de8", "6537",
"ba1e", "4fd4", "20a0", "8a28", "2801", "2c9a", "4eb1", "22a5", "c07b",
"1f39", "72bd", "97e9", "affc", "4e41", "d039", "5d30", "d13f", "c264",
"c8be", "2221", "37ea", "ca5f", "fa6b", "5ada", "607a", "e469", "5681",
"e0a4", "60aa", "d8f8", "8f35", "9474", "be73", "ef80", "ea43", "9f9e",
"77d7", "d766", "55a0", "dc2d", "a970", "df5d", "e747", "dc69", "cc89",
"e59a", "4f68", "14ff", "7928", "36b9", "eac6", "5c87", "da48", "5c1d",
"9f63", "8b30", "5534", "2434", "4a82", "d72c", "9b6b", "73c5", "1bcf",
"c739", "6c31", "e138", "9e77", "ace1", "2ede", "32e0", "3694", "fc92",
"a7e2"]
def level_4_pw_check():
for pw in pos_pw_list:
pw_hash = hash_pw(pw)
if pw_hash == correct_pw_hash:
decryption = str_xor(flag_enc.decode(), pw)
print(decryption)
level_4_pw_check()
Essentially, this script reads the encrypted flag file (level4.flag.txt.enc) and the hash of the correct password (level4.hash.bin). It then prompts the user to input a password and checks if it's the correct one. If it is, the script decrypts the flag and displays it. Quite straightforward, right?
However, with 100 possible passwords, manually testing each one could be a bit tedious :)
Let’s enhance the level_4_pw_check() function by incorporating a for loop to automate the password-checking process. We'll verify all the passwords until the correct one is found, and it will also return the flag!
def level_4_pw_check():
for pw in pos_pw_list:
pw_hash = hash_pw(pw)
if pw_hash == correct_pw_hash:
decryption = str_xor(flag_enc.decode(), pw)
print(decryption)
level_4_pw_check()
Complete Code
import hashlib
# This function will not help you find the flag --LT def str_xor(secret, key):
# Extend key to secret length
new_key = key
i = 0
while len(new_key) < len(secret):
new_key += key[i]
i = (i + 1) % len(key)
return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for secret_c, new_key_c in zip(secret, new_key)])
flag_enc = open('level4.flag.txt.enc', 'rb').read() correct_pw_hash = open('level4.hash.bin', 'rb').read()
def hash_pw(pw_str):
pw_bytes = bytearray()
pw_bytes.extend(pw_str.encode())
m = hashlib.md5()
m.update(pw_bytes)
return m.digest()
# The following strings are 100 potential passwords. # Only one is correct. pos_pw_list = ["8c86", "7692", "a519", "3e61", "7dd6", "8919", "aaea", "f34b", "d9a2",
"39f7", "626b", "dc78", "2a98", "7a85", "cd15", "80fa", "8571", "2f8a",
"2ca6", "7e6b", "9c52", "7423", "a42c", "7da0", "95ab", "7de8", "6537",
"ba1e", "4fd4", "20a0", "8a28", "2801", "2c9a", "4eb1", "22a5", "c07b",
"1f39", "72bd", "97e9", "affc", "4e41", "d039", "5d30", "d13f", "c264",
"c8be", "2221", "37ea", "ca5f", "fa6b", "5ada", "607a", "e469", "5681",
"e0a4", "60aa", "d8f8", "8f35", "9474", "be73", "ef80", "ea43", "9f9e",
"77d7", "d766", "55a0", "dc2d", "a970", "df5d", "e747", "dc69", "cc89",
"e59a", "4f68", "14ff", "7928", "36b9", "eac6", "5c87", "da48", "5c1d",
"9f63", "8b30", "5534", "2434", "4a82", "d72c", "9b6b", "73c5", "1bcf",
"c739", "6c31", "e138", "9e77", "ace1", "2ede", "32e0", "3694", "fc92",
"a7e2"]
def level_4_pw_check():
for pw in pos_pw_list:
pw_hash = hash_pw(pw)
if pw_hash == correct_pw_hash:
decryption = str_xor(flag_enc.decode(), pw)
print(decryption)
level_4_pw_check()
And there you have it! The flag is: picoCTF{fl45h_5pr1ng1ng_d770d48c}
Did you find this write-up useful? If so, please give it a thumbs up and follow for more content! Feel free to ask any questions or suggest CTF challenges for future articles.
Happy hacking!