Challenge Name: phash
Challenge Text: login source
Initial Hint: No Hint
First Hint (when no one solved): Marvel characters (lowercased)
Second Hint: Who was the character that fans speculated would appear in a "Marvel Show" but ultimately did not make an appearance? (Third Hint was provided after first 🩸 was obtained by me)
Provided:
Login page is shown on visting https://challs.aupctf.live/phash/
Provided logic.py:
from django.shortcuts import render
from django.contrib import messages
import hashlib
import random
with open('marvel.txt', 'r', encoding='utf-8', errors='ignore') as file:
wordlist = file.read().splitlines()
random_word = random.choice(wordlist)
random_md5 = hashlib.md5(random_word.encode('utf-8')).hexdigest()
def login(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
if username == 'admin' and password == random_md5:
messages.success(request, 'Congratulations! Here is your flag [REDACTED]')
else:
messages.error(request, 'Invalid username or password.')
return render(request, 'phash.html')
Looking at logic.py, we can see that to get flag username should be admin and password should be md5 hash of some Marvel character's name.
For this, we can get Marvel charcaters list from https://github.com/JacksonBates/wordlists/blob/master/marvel.txt
- Load login request to Burp Intruder. Set username to
adminand set password as variable in intruder. - Add two payload processing rules as i) Rule type: modify case, lowercase ii) Rule type: Hash, MD5
- Start intruder attack and sort responses by response length, odd length response will contain flag.
To be learned from this writeup: Payload processing rules in burp
End: Got First 🩸