WhiteHat GrandPrix - 100 - Banh bot loc - Web

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

http://web05.grandprix.whitehatvn.com

http://bakweb05.grandprix.whitehatvn.com:8125

Solution

Here is the home page:

The login link go to http://web05.grandprix.whitehatvn.com/index.php?username=guest&password=guest and says noob.

Let's see source code of teh web page:

1
2
3
4
5
6
<html>
<title>hello</title>
<body>
<a href='index.php?username=guest&password=guest'>login</a><br>
</body>Login to get our secret</html>
<!-- index.php.bak -->

Ok, let's see index.php.bak:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
function checklogin($username, $password, $key, $secret)
{
if($username.$key == md5($password))
echo $secret;
else echo "noob";
}
$key = "1337";
$secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
echo "<html>
<title>hello</title>
<body>
<a href='index.php?username=guest&password=guest'>login</a><br>
</body>";
if (isset($_GET['username'])&&isset($_GET['password']))
{
checklogin($_GET['username'],$_GET['password'],$key,$secret);
die(0);
}
echo "Login to get our secret";
echo "</html>";
?>

Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.

So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).

I first thought to download a md5 hash dictionary but I didn't wanted to wait during teh download.

So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.

So we get:

  • username: 0000dd456d15560290351cb4e631
  • key: 1337
  • password: hdtfz

I submited the url: http://web05.grandprix.whitehatvn.com/index.php?username=0000dd456d15560290351cb4e631&password=hdtfz and got the flag WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}.

Submit

Share