RingZer0team CTF - Challenge 56

Posted on Tue 02 May 2017 in Security

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

Challenge 56 ("Hash Breaker", under the Coding Challenges) is one of a series of challenges where you're simply presented with a hash - you need to return the plaintext value to the page within 3 seconds.

Of course, this is impossible to do manually, so it's a programming challenge.

The hash looks like a simple SHA-1, so I put it into an online hash reverser and discovered it's just a SHA1 hash of a random number. SHA1 is really fast, so this should be simple.

Here's how I tackled the problem:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# It's in Python3, because of reasons
from requests import get
from hashlib import sha1
from re import search
calculated_hash=''
x=0

# Your session cookie needs to go here
session=dict(PHPSESSID='<cookie contents>')

# Load the web page
url='https://ringzer0team.com/challenges/56'
resp=get(url,cookies=session)

# Extract the hash from the page contents
target_hash=resp.text.split("-----")[2].split("\t")[2].split("<")[0]

# Iterate hashes from zero until the calculated hash matches the target hash
while calculated_hash != target_hash:
        calculated_hash=sha1(str(x).encode('utf-8')).hexdigest()
        print("%s = %s" % (calculated_hash, x))
        x+=1

# If we got here, yay!  We found the key.  Now submit it back to the site, and print our magic flag
resp=get(url+'/'+str(x-1),cookies=session)
flag=search("FLAG-.{24}",resp.text).group()
print(flag)

There's no error handling in that code, so if it runs for more than a few seconds it's probably toast.