Information#
Version#
| By | Version | Comment |
|---|---|---|
| noraj | 1.0 | Creation |
CTF#
- Name : WhiteHat GrandPrix 2016
- Website : grandprix.whitehatvn.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
Description#
Solution#
Here is the home page:
The login link go to http://web05.grandprix.whitehatvn.com/index.php?username=guest&password=guest and says noob.
Let's see source code of the web page:
<html>
<title>hello</title>
<body>
<a href='index.php?username=guest&password=guest'>login</a><br>
</body>Login to get our secret</html>
<!-- index.php.bak -->Ok, let's see index.php.bak:
<?php
function checklogin($username, $password, $key, $secret)
{
if($username.$key == md5($password))
echo $secret;
else echo "noob";
}
$key = "1337";
$secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
echo "<html>
<title>hello</title>
<body>
<a href='index.php?username=guest&password=guest'>login</a><br>
</body>";
if (isset($_GET['username'])&&isset($_GET['password']))
{
checklogin($_GET['username'],$_GET['password'],$key,$secret);
die(0);
}
echo "Login to get our secret";
echo "</html>";
?>Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.
So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).
I first thought to download a md5 hash dictionary but I didn't wanted to wait during the download.
So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.
So we get:
- username:
0000dd456d15560290351cb4e631 - key:
1337 - password:
hdtfz
I submited the url: http://web05.grandprix.whitehatvn.com/index.php?username=0000dd456d15560290351cb4e631&password=hdtfz and got the flag WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}.
Submit#
