The task was about finding the correct password of the manager user giving a pcap file.
First I examined the source code of the login page. I saw that the form sends the entred username, a random gnerated nonce and a hashed password using the the myxor function.
So according to this algorithm is quite easy do get the password.
I wrote the reverse function in JavaScript :
After that, I examined the pcap file and I figured out a HTTP POST request that sends, in addition of the username, the couple (password, nonce) to the server
revxor("3ecd6317a873b18e7dde351ac094ee3b","7413734ab666ce02cf27c9862c96a8e7");
The result was “cabaf0ddf21df38cbeb77c94a40e4654″ which is the manager’s password.
I tried to login using these credentials and i got a page saying : The secret is behind bb00403ebcbfa0748bcbee426acfdb5b :)
So I used an online MD5 cracker : http://www.hashkiller.co.uk/md5-decrypter.aspx to get the flag which was
youtoo
Cheers :)
Marouene
First I examined the source code of the login page. I saw that the form sends the entred username, a random gnerated nonce and a hashed password using the the myxor function.
$('.hook-submit').click(function(){
var h1 = md5($('#pass').val());
var h2 = $('#nonce').val();
var xor = myxor(h1, h2);
$('#hiddenpass').val(xor);
setTimeout(function() { $('#form').submit(); }, 100);
});
So according to this algorithm is quite easy do get the password.
I wrote the reverse function in JavaScript :
function revxor(h1, h2) {
var xored = '';
for(i = 0; i<h1.length; i++) {
var c1 = h1.charAt(i);
var c2 = h2.charAt(i);
var x = hex2n(c1)-hex2n(c2); if(x < 0 )x+=16;
xored+= n2hex(x);
}
return xored;
}
After that, I examined the pcap file and I figured out a HTTP POST request that sends, in addition of the username, the couple (password, nonce) to the server
POST / HTTP/1.1
Host: 10.13.37.22
Connection: keep-alive
Content-Length: 89
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.13.37.22
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.13.37.22/
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8,ro;q=0.6,ru;q=0.4
Cookie: PHPSESSID=7hnoc09he3vtohslep97fdm8o0
user=manager&nonce=7413734ab666ce02cf27c9862c96a8e7&pass=3ecd6317a873b18e7dde351ac094ee3bGET /favicon.ico HTTP/1.1
Host: 10.13.37.22
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,ro;q=0.6,ru;q=0.4
Cookie: PHPSESSID=7hnoc09he3vtohslep97fdm8o0
revxor("3ecd6317a873b18e7dde351ac094ee3b","7413734ab666ce02cf27c9862c96a8e7");
The result was “cabaf0ddf21df38cbeb77c94a40e4654″ which is the manager’s password.
I tried to login using these credentials and i got a page saying : The secret is behind bb00403ebcbfa0748bcbee426acfdb5b :)
So I used an online MD5 cracker : http://www.hashkiller.co.uk/md5-decrypter.aspx to get the flag which was
youtoo
Cheers :)
Marouene
