RSS

Leetmore CTF 2012: PPC 200 (Oscaderp Forensic)

This entry was posted on Oct 18 2012

The challenge was to get the flag out of the files contained in the archive attached.

We need your help, soldier!

Your goal today is to help us obtain the access to Oscaderp Corp mainframe.
Our intelligence has managed to install a keylogger and a formgrabber on some bad person’s work laptop. You don’t need his name to do your job.
Everything worked as planned, the victim visited mainframe’s authentication page, https://authen.intranet/, and started to type in the password.
But when he had a couple characters left, the keylogger got busted and hard-killed by him.

Present intelligence evidence:
[*] The password that’s being used is 1,048,576 characters long.
[*] According to our calculations, our keylogger managed to capture 1,048,568 password keystrokes.
[*] Formgrabber remained unnoticed, and in a few hours we’ve got the logs with successful mainframe authentication.
The only major problem: they use client-side MD5 to protect the password from being eavesdropped.
[*] We also managed to acquire the source code of the authentication mechanism

You can find all the necessary files in the archive.

YOUR GOAL: obtain the password to the mainframe, and post its SHA1 hash as the flag.

import md5
import sha

# Save the part of the password recorded by the keylogger in this variable.
# final length of recorded password = 1048568 characters
# complete password length = 1048576 characters
key_partial = ''

# Open keylogger file and extract the password related lines.
with open('keylogger_report_08_10_2012.txt', 'r') as fh:
for line in fh:
# Only look at lines that start with "Keys: ".
if line.startswith('Keys: '):
# Only extract lines that have more than 100 characters.
if len(line) > 100:
# Only extract the part after "Keys: " and don't copy
# "\r\n" and append to the partial key.
key_partial = key_partial + line[6:-2]

def bruteforce(key_partial):
"""
Bruteforce the password.

- Add "00000000" to "99999999" to the partial password.
- Compare the md5sum of this full password with the md5 hash
found in index.php ("287d3298b652c159e654b61121a858e0")
"""

md5_key_partial = md5.new()
md5_key_partial.update(key_partial)

for i in range(0,10):
print "Progress: " + str(i)
for j in range(0,10):
str_2 = str(i) + str(j)
for k in range(0,10):
str_3 = str_2 + str(k)
for l in range(0,10):
str_4 = str_3 + str(l)
for m in range(0,10):
str_5 = str_4 + str(m)
for n in range(0,10):
str_6 = str_5 + str(n)
for o in range(0,10):
str_7 = str_6 + str(o)
for p in range(0,10):
str_8 = str_7 + str(p)
md5_key_try = md5_key_partial.copy()
md5_key_try.update(str_8)

# If the md5 hash of our latest tested password matches,
# calculate the sha1 hash of this password and exit this function.
if md5_key_try.hexdigest() == "287d3298b652c159e654b61121a858e0":
sha_key = sha.new()
sha_key.update(key_partial + str_8)
print "\nSHA-key: " + sha_key.hexdigest() + "\n8 last characters: " + str_8 + "\n"
return

# Bruteforce the password.
bruteforce(key_partial)

The output from the above code was:

SHA-key: 947c83329e6cf2d9b747af59edf7974752afd741
8 last characters: 69880983

Solution: 947c83329e6cf2d9b747af59edf7974752afd741

Post a Comment