HackIM2017 CTF -Web Challenges and solutions (part-4)

Solving Web400 Challenge

Accessed the Web4 challenge and we are given a new Hint!. hints are back!! 🙂

web4001

Possibly a crypto challenge ahead from a martian!?.. Right, so going into the link we find that there a captcha along with a login.

web4002

View source gives away the “partial” password and its 69 characters long. Also, there appears to be a backup of SQL file somewhere in the server. Meaning some interesting DB file should be directly reference in the /web400/ path. I tried a couple of combinations before getting “database.sql” file as a downloadweb4005

On closer evaluation of this file, it appears there is a user named “Jaffa” and password hash is also present in this DB. The Password has variable hinted bcrypt, being used.web4004

So now the martian crypto challenge has presented itself. It appears that we needed “3” more characters as hinted by Null team, via twitter. And the reasoning behind this is that there is a Maximum length to a password done using bcrypt ->72 characters.

Used crunch to create a dictionary of all the characters using the existing character sequence [a-z 0-9], with following command.

web4006

Appended the “partial password” to the chars created by crunch.

web4007

And then used john to crack the password using the newly created wordlist

web4008

It took quite sometime.. and finally got the last three characters for the password and login with user “jaffa” to get the flag for web400 challenge.

web4009

web4010

Published by Ramnath Shenoy

I work a penetration tester, this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: