Home IceCTF-2016 Kitty
Writeup
Cancel

Kitty

Challenge

They managed to secure their website this time and moved the hashing to the server :(. We managed to leak this hash of the admin’s password though! c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a. Can you get the flag? kitty.vuln.icec.tf

Solution

We examine the source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<!doctype html>
<html>
<head>
    <meta charset="utf-8" />
    <title>Log In</title>
    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css" />
</head>
<body>
    <div class="container">
        <form method="post" action="login.php">
            <label for="username">Username: </label>
            <input class="u-full-width" type="text" name="username" placeholder="Username" required minlength="5" />
            <label for="password">Password: </label>
            <input id="password" class="u-full-width" type="password" name="password" placeholder="Password" required pattern="[A-Z][a-z][0-9][0-9][\?%$@#\^\*\(\)\[\];:]" />
            <input type="submit" value="Log In" />
        </form>
    </div>
</body>
</html>

and see that the password is 5 characters following very specific pattern, we can bruteforce this! It seems to refer to a previous challenge where they did SHA-256 hashing client side, so we assume that is what they use here too.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import hashlib
import string

target="c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a"

for i in string.uppercase:
    for j in string.lowercase:
        for k in string.digits:
            for l in string.digits:
                for m in list("\?%$@#^*()[];:"):
                    h = hashlib.sha256()
                    h.update(i+j+k+l+m)
                    if h.hexdigest() == target:
                        print i+j+k+l+m

This output password Vo83* and if we enter this on site with username admin, we are given our flag

Flag

IceCTF{i_guess_hashing_isnt_everything_in_this_world}