quick writeup for Hacker0x1’s mini CTF: Capture The Flag: reversing the password

If you missed this one; please head to this link, and try it yourself before going to the solution.

I quickly recognized this must be a pcap dump, or a snap from a binary file (i.e. raw disk dump)
so I opened up a hex editor; I was on Windows so I used: HxD

this is what it looked like:

you quickly notice the corrupted bytes, so I corrected 3 bytes and noticed the changed values;
For example: “evånt” should have been “event”
hence “65 76 E5 6E 74″ should have been “65 76 65 6E 74″

I ended up with this algorithm:
search for any byte that is more than 0x8
substitute 0x8 from it

0xf -> 0x7
0xe -> 0x6
0xd -> 0x5

after it’s done you get a clear uncorrupted ascii, which looks like a part of an event log.
At this point you also get old and new passwords.

  • “old_password”: “:\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;”,
  • “new_password”: “9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk”,

Very quickly you notice these are in hex format (thanks OSCE!); I looked at the hex equivilent and converted them manually; however a smarter way would have been python’s hexlify (yep there is a thing for that).

I quickly headed up to the wiki page of hashes and figured this must be an md5.

at this point I spent hours trying to brute force them, until I thought maybe I need to try salt? double md5?
Everything failed until I tried md5(reverse(hash))

again python comes handy 🙂

then feed them to the monster crackstation.net
final results:

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

This site uses Akismet to reduce spam. Learn how your comment data is processed.