RingZer0team CTF - Challenge 57

Posted on Fri 05 May 2017 in Security

This is a continuation of my series on RingZer0Team.com.

Challenge 57 ("Hash Breaker Reloaded", under the Coding Challenges) is one of a series of challenges where you're simply presented with a hash - you need to return the plaintext value to the page within 3 seconds.

In contrast to Challenge 56, this challenge also includes a salt:

You have 3 seconds to break this hash
Send the answer back using https://ringzer0team.com/challenges/57/[clear_text]


----- BEGIN HASH -----
ab9507edbb2501b3c02e47c51af0178d68655980
----- END HASH -----

----- BEGIN SALT -----
c2ac9d8d004b4011d0864e76c7ebaaccfd18464bb8ff66bdbf19a703eb95a944
----- END SALT -----

The hash looks like another SHA-1, but of course the online hash reversers don't have the now-salted hash in their rainbow tables. I figured that the challenge was a simple continuation of the previous challenge, so I crossed my fingers and guessed the hash was simply a number (from last time), concatenated with the plain-text salt.

... And I was lucky! The below code got me the flag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/python3
from requests import get
from hashlib import sha1
from re import search

url='https://ringzer0team.com/challenges/57'
session=dict(PHPSESSID='<blahblah>')
resp=get(url,cookies=session)
hash=resp.text.split("-----")[2].split("\t")[2].split("<")[0]
salt=resp.text.split("-----")[6].split("\t")[2].split("<")[0]
newhash=''
salt=salt.encode('utf-8')
x=0
while newhash != hash:
        newhash=sha1(str(x).encode('utf-8')+salt).hexdigest()
        print("%s = %s" % (newhash, x))
        x+=1

resp=get(url+'/'+str(x-1),cookies=session)
flag=search("FLAG-.{24}",resp.text).group()
print(flag)

As last time, there's no error handling in that code, so if it runs for more than a few seconds it's probably toast.