MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

PW Crack 4

by sclux7
PicoCTF icon PicoCTF general skill
medium
PW Crack 4

Description

Can you crack the password to get the flag?
Download the password checker here and you'll need the encrypted flag and the hash in the same directory too.
There are 100 potential passwords with only 1 being correct. You can find these by examining the password checker script.

Understanding the challenge

This is the fourth installment in the PW Crack series. I highly recommend completing the other ones from the start as they teach you different and important skills in each one, however only the fourth one was chosen to be demo’d in Hack Hub. But do what you will I am merely a voice inside your head as you are reading this text. With all that out of the way, let’s get cracking! After using wget on all three files and ensuring they are all in the same directory, we can then cat level4.py and start reading how the program works.

def level_4_pw_check():
    user_pw = input("Please enter correct password for flag: ")
    user_pw_hash = hash_pw(user_pw)

    if( user_pw_hash == correct_pw_hash ):
        print("Welcome back... your flag, user:")
        decryption = str_xor(flag_enc.decode(), user_pw)
        print(decryption)
        return
    print("That password is incorrect")                      

level_4_pw_check()

# The strings below are 100 possibilities for the correct password.
#   (Only 1 is correct)
pos_pw_list = ["158f", "1655", "d21e", "4966", "ed69", "1010", "dded", "844c", ...]

Method

This part of the program is especially interesting, as we can instead make it use the correct password, print it and then the flag. We change the above to the following:

def level_4_pw_check():

pos_pw_list = ["158f", "1655", "d21e", "4966", "ed69", "1010", "dded", "844c", "40ab", "a948", "156c", "ab7f", "4a5f", >

for i in pos_pw_list:

     user_pw_hash = hash_pw(i)

     if( user_pw_hash == correct_pw_hash ):

         print("Welcome back... your flag, user:")

         decryption = str_xor(flag_enc.decode(), i)

         print(decryption)

         return

print("That password is incorrect")

Analysing the above:

  • We move pos_pw_list to inside the function so that we may call upon it later
  • We use a for loop to iterate through the list so that when the correct password is selected, it then prints the flag
  • We change user_pw_hash = hash_pw(user_pw) to user_pw_hash = hash_pw(i) so that each password from pos_pw_list is run through the hash_pw function

After changing this and running the program with python3 level4.py, we get the flag.

Related Writeups

caas

Now presenting cowsay as a service https://caas.mars.picoctf.net/

#medium

findme

Help us test the form by submiting the username as `test` and password as `test!` Hint: any redirections?

#medium

JAuth

Most web application developers use third party components without testing their security. Some of the past affected com ...

#medium

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub