phwd/dirty.py Secret

## dirty.py
import sys
from functools import partial

with open('corrupt_data', 'rb') as in_file:
    for data in iter(partial(in_file.read, 1), b''):
        x = int.from_bytes(data, byteorder='big')
        sys.stdout.write((chr(x&0b01111111)))

## h1CTFpasswordreverse.txt
Given the following data from https://docs.google.com/document/d/1sz2-n-IiqPGDm6b6NF8ajYogTbirOddNm45Uvj3eBq8/edit

7b 0a 20 a0 22 65 76 e5
6e 74 22 ba 20 22 70 e1
73 73 77 ef 72 64 5f e3
68 61 6e e7 65 22 2c 8a
20 20 22 f5 73 65 72 ee
61 6d 65 a2 3a 20 22 e2
63 6f 6c ec 69 6e 22 ac
0a 20 20 a2 6f 6c 64 df
70 61 73 f3 77 6f 72 e4
22 3a 20 a2 3a 5c 78 c3
37 5c 78 c6 34 5c 6e dc
78 41 46 a9 29 37 43 dc
78 31 35 dc 78 44 30 dc
78 46 33 dc 78 44 45 e9
55 3b 22 ac 0a 20 20 a2
6e 65 77 df 70 61 73 f3
77 6f 72 e4 22 3a 20 a2
39 5c 78 c6 41 5c 78 b9
39 5c 78 c3 41 5c 78 c5
44 5c 78 c6 32 58 53 c7
5c 78 44 c4 2d 5c 78 c3
32 5c 78 b8 45 7a 48 eb
22 2c 0a a0 20 22 74 e9
6d 65 73 f4 61 6d 70 a2
3a 20 31 b5 30 31 38 b5
38 38 36 b0 30 30 30 8a
7d 0a

Check the data

$ pbpaste | xxd -r -p

Where xxd is a hexdump tool
https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/xxd.1.html

{
 ?"ev?nt"? "p?ssw?rd_?han?e",?  "?ser?ame?: "?col?in"?
  ?old?pas?wor?": ?:\x?7\x?4\n?xAF?)7C?x15?xD0?xF3?xDE?U;"?
  ?new?pas?wor?": ?9\x?A\x?9\x?A\x?D\x?2XS?\xD?-\x?2\x?EzH?",
? "t?mes?amp?: 1?018?886?000?}

The data is mangled. From the Google doc description, there needs to be some bit manipulation

Save the corrupt data

$ pbpaste | xxd -r -p > corrupt_data

Python script to deal with mangled bits

$ python3 dirty.py
{
  "event": "password_change",
  "username": "bcollin",
  "old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
  "new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
  "timestamp": 1501858860000
}

Verify timestamp

$ date -r 1501858860
Fri Aug  4 11:01:00 AST 2017

Get hex value for the password since the current format doesn't do us any good.

$ python
>> ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;".encode('hex')
'3ac7f40aaf2929374315d0f3de69553b'
>> "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk".encode('hex')
'39fa99caedf2585347dd2dc28e7a486b'

Take the last hint and literally reverse as the hex encoded string

$ python
>> '3ac7f40aaf2929374315d0f3de69553b'[::-1]
'b35596ed3f0d5134739292faa04f7ca3'
>> '39fa99caedf2585347dd2dc28e7a486b'[::-1]
'b684a7e82cd2dd7435852fdeac99af93'

The two hashes are
'b35596ed3f0d5134739292faa04f7ca3'
'b684a7e82cd2dd7435852fdeac99af93'

Googling for these strings yield

old_password -> b35596ed3f0d5134739292faa04f7ca3:p4ssw0rd
new_password -> b684a7e82cd2dd7435852fdeac99af93:thisiscrazy

Can recheck for one of the hashes, that it is indeed a md5 operation done twice

$echo -n "thisiscrazy" | md5
5990027d60d655641fb35b1e3dca9e75

$ echo -n "5990027d60d655641fb35b1e3dca9e75" | md5
b684a7e82cd2dd7435852fdeac99af93

References
http://md5decoder.org/
https://crackstation.net/
https://www.ccs.neu.edu/home/cbw/static/class/5600/slides/12_Auth_and_Access.pptx
	import sys
	from functools import partial

	with open('corrupt_data', 'rb') as in_file:
	for data in iter(partial(in_file.read, 1), b''):
	x = int.from_bytes(data, byteorder='big')
	sys.stdout.write((chr(x&0b01111111)))
	Given the following data from https://docs.google.com/document/d/1sz2-n-IiqPGDm6b6NF8ajYogTbirOddNm45Uvj3eBq8/edit

	7b 0a 20 a0 22 65 76 e5
	6e 74 22 ba 20 22 70 e1
	73 73 77 ef 72 64 5f e3
	68 61 6e e7 65 22 2c 8a
	20 20 22 f5 73 65 72 ee
	61 6d 65 a2 3a 20 22 e2
	63 6f 6c ec 69 6e 22 ac
	0a 20 20 a2 6f 6c 64 df
	70 61 73 f3 77 6f 72 e4
	22 3a 20 a2 3a 5c 78 c3
	37 5c 78 c6 34 5c 6e dc
	78 41 46 a9 29 37 43 dc
	78 31 35 dc 78 44 30 dc
	78 46 33 dc 78 44 45 e9
	55 3b 22 ac 0a 20 20 a2
	6e 65 77 df 70 61 73 f3
	77 6f 72 e4 22 3a 20 a2
	39 5c 78 c6 41 5c 78 b9
	39 5c 78 c3 41 5c 78 c5
	44 5c 78 c6 32 58 53 c7
	5c 78 44 c4 2d 5c 78 c3
	32 5c 78 b8 45 7a 48 eb
	22 2c 0a a0 20 22 74 e9
	6d 65 73 f4 61 6d 70 a2
	3a 20 31 b5 30 31 38 b5
	38 38 36 b0 30 30 30 8a
	7d 0a

	Check the data

	$ pbpaste \| xxd -r -p

	Where xxd is a hexdump tool
	https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/xxd.1.html

	{
	?"ev?nt"? "p?ssw?rd_?han?e",? "?ser?ame?: "?col?in"?
	?old?pas?wor?": ?:\x?7\x?4\n?xAF?)7C?x15?xD0?xF3?xDE?U;"?
	?new?pas?wor?": ?9\x?A\x?9\x?A\x?D\x?2XS?\xD?-\x?2\x?EzH?",
	? "t?mes?amp?: 1?018?886?000?}

	The data is mangled. From the Google doc description, there needs to be some bit manipulation

	Save the corrupt data

	$ pbpaste \| xxd -r -p > corrupt_data

	Python script to deal with mangled bits

	$ python3 dirty.py
	{
	"event": "password_change",
	"username": "bcollin",
	"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
	"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
	"timestamp": 1501858860000
	}

	Verify timestamp

	$ date -r 1501858860
	Fri Aug 4 11:01:00 AST 2017

	Get hex value for the password since the current format doesn't do us any good.

	$ python
	>> ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;".encode('hex')
	'3ac7f40aaf2929374315d0f3de69553b'
	>> "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk".encode('hex')
	'39fa99caedf2585347dd2dc28e7a486b'

	Take the last hint and literally reverse as the hex encoded string

	$ python
	>> '3ac7f40aaf2929374315d0f3de69553b'[::-1]
	'b35596ed3f0d5134739292faa04f7ca3'
	>> '39fa99caedf2585347dd2dc28e7a486b'[::-1]
	'b684a7e82cd2dd7435852fdeac99af93'

	The two hashes are
	'b35596ed3f0d5134739292faa04f7ca3'
	'b684a7e82cd2dd7435852fdeac99af93'

	Googling for these strings yield

	old_password -> b35596ed3f0d5134739292faa04f7ca3:p4ssw0rd
	new_password -> b684a7e82cd2dd7435852fdeac99af93:thisiscrazy

	Can recheck for one of the hashes, that it is indeed a md5 operation done twice

	$echo -n "thisiscrazy" \| md5
	5990027d60d655641fb35b1e3dca9e75

	$ echo -n "5990027d60d655641fb35b1e3dca9e75" \| md5
	b684a7e82cd2dd7435852fdeac99af93

	References
	http://md5decoder.org/
	https://crackstation.net/
	https://www.ccs.neu.edu/home/cbw/static/class/5600/slides/12_Auth_and_Access.pptx