tomnomnom/h1-barry-ctf-dump.php

## h1-barry-ctf-dump.php
<?php
// OK, so here's the hex from the instructions...
$lines =<<<LINES
7b 0a 20 a0 22 65 76 e5
6e 74 22 ba 20 22 70 e1
73 73 77 ef 72 64 5f e3
68 61 6e e7 65 22 2c 8a
20 20 22 f5 73 65 72 ee
61 6d 65 a2 3a 20 22 e2
63 6f 6c ec 69 6e 22 ac
0a 20 20 a2 6f 6c 64 df
70 61 73 f3 77 6f 72 e4
22 3a 20 a2 3a 5c 78 c3
37 5c 78 c6 34 5c 6e dc
78 41 46 a9 29 37 43 dc
78 31 35 dc 78 44 30 dc
78 46 33 dc 78 44 45 e9
55 3b 22 ac 0a 20 20 a2
6e 65 77 df 70 61 73 f3
77 6f 72 e4 22 3a 20 a2
39 5c 78 c6 41 5c 78 b9
39 5c 78 c3 41 5c 78 c5
44 5c 78 c6 32 58 53 c7
5c 78 44 c4 2d 5c 78 c3
32 5c 78 b8 45 7a 48 eb
22 2c 0a a0 20 22 74 e9
6d 65 73 f4 61 6d 70 a2
3a 20 31 b5 30 31 38 b5
38 38 36 b0 30 30 30 8a
7d 0a
LINES;


// Let's take a look at each byte in binary notation to make
// flipped bits a bit easier to spot.
$str = '';
foreach (explode("\n", $lines) as $line){
    $line = trim($line);
    $bytes = explode(" ", $line);

    foreach ($bytes as $byte){
        // When printed out as binary it becomes pretty clear that the MSB has
        // been flipped in the 4th and 8th columns... YOU LIED TO ME, JOBERT;
        // you said the LSBs had been shifted.
        printf("%08b ", intval($byte, 16));

        // Let's fix the high MSB and make a urlencoded string out of it.
        $str .= sprintf("%%%02X", intval($byte, 16) & 0b01111111);
    }
    echo PHP_EOL;
}

// We have 'JSON' :)
$json = urldecode($str);
echo $json;
/*
{
  "event": "password_change",
  "username": "bcollin",
  "old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
  "new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
  "timestamp": 1501858860000
}
*/

// \xNN sequences?! This isn't valid JSON, Jobert ಠ_ಠ
// I'll just copy and paste the strings like some kind of monster.
$old = ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;";
$new = "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk";


// Oh hey, *reverse* the passwords... I tried reversing the raw bytes first,
// it took me longer than it should have done to bother just revsering the hex string...
// I also tried a ton of other stuff that didn't work, but never mind all of that...
$oldhash = strrev(unpack("H*", $old)[1]);
var_dump($oldhash);
// string(32) "b35596ed3f0d5134739292faa04f7ca3"
// A quick good search reveals it to be md5(md5('p4ssw0rd'))
// That's the old password sorted.

$newhash = strrev(unpack("H*", $new)[1]);
var_dump($newhash);
// string(32) "b684a7e82cd2dd7435852fdeac99af93"
// Google doesn't find a result for this one :(

// Let's try a few things... Thank you, Daniel Miessler...
$fh = fopen('/home/tom/src/github.com/danielmiessler/SecLists/Passwords/rockyou.txt', 'r');
if (!$fh) die('wat');
while(true) {
	$test = trim(fgets($fh));

    if (md5(md5($test)) == $newhash){
        echo "Password: ". $test.PHP_EOL;
        break;
    }
}
fclose($fh);

// This *is* crazy! Hurrah for brute force!
// Confirmation:
if (md5(md5('thisiscrazy')) == $newhash) {
	echo "You're an Evil man, Jobert.";
}
	<?php
	// OK, so here's the hex from the instructions...
	$lines =<<<LINES
	7b 0a 20 a0 22 65 76 e5
	6e 74 22 ba 20 22 70 e1
	73 73 77 ef 72 64 5f e3
	68 61 6e e7 65 22 2c 8a
	20 20 22 f5 73 65 72 ee
	61 6d 65 a2 3a 20 22 e2
	63 6f 6c ec 69 6e 22 ac
	0a 20 20 a2 6f 6c 64 df
	70 61 73 f3 77 6f 72 e4
	22 3a 20 a2 3a 5c 78 c3
	37 5c 78 c6 34 5c 6e dc
	78 41 46 a9 29 37 43 dc
	78 31 35 dc 78 44 30 dc
	78 46 33 dc 78 44 45 e9
	55 3b 22 ac 0a 20 20 a2
	6e 65 77 df 70 61 73 f3
	77 6f 72 e4 22 3a 20 a2
	39 5c 78 c6 41 5c 78 b9
	39 5c 78 c3 41 5c 78 c5
	44 5c 78 c6 32 58 53 c7
	5c 78 44 c4 2d 5c 78 c3
	32 5c 78 b8 45 7a 48 eb
	22 2c 0a a0 20 22 74 e9
	6d 65 73 f4 61 6d 70 a2
	3a 20 31 b5 30 31 38 b5
	38 38 36 b0 30 30 30 8a
	7d 0a
	LINES;


	// Let's take a look at each byte in binary notation to make
	// flipped bits a bit easier to spot.
	$str = '';
	foreach (explode("\n", $lines) as $line){
	$line = trim($line);
	$bytes = explode(" ", $line);

	foreach ($bytes as $byte){
	// When printed out as binary it becomes pretty clear that the MSB has
	// been flipped in the 4th and 8th columns... YOU LIED TO ME, JOBERT;
	// you said the LSBs had been shifted.
	printf("%08b ", intval($byte, 16));

	// Let's fix the high MSB and make a urlencoded string out of it.
	$str .= sprintf("%%%02X", intval($byte, 16) & 0b01111111);
	}
	echo PHP_EOL;
	}

	// We have 'JSON' :)
	$json = urldecode($str);
	echo $json;
	/*
	{
	"event": "password_change",
	"username": "bcollin",
	"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
	"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
	"timestamp": 1501858860000
	}
	*/

	// \xNN sequences?! This isn't valid JSON, Jobert ಠ_ಠ
	// I'll just copy and paste the strings like some kind of monster.
	$old = ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;";
	$new = "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk";


	// Oh hey, reverse the passwords... I tried reversing the raw bytes first,
	// it took me longer than it should have done to bother just revsering the hex string...
	// I also tried a ton of other stuff that didn't work, but never mind all of that...
	$oldhash = strrev(unpack("H*", $old)[1]);
	var_dump($oldhash);
	// string(32) "b35596ed3f0d5134739292faa04f7ca3"
	// A quick good search reveals it to be md5(md5('p4ssw0rd'))
	// That's the old password sorted.

	$newhash = strrev(unpack("H*", $new)[1]);
	var_dump($newhash);
	// string(32) "b684a7e82cd2dd7435852fdeac99af93"
	// Google doesn't find a result for this one :(

	// Let's try a few things... Thank you, Daniel Miessler...
	$fh = fopen('/home/tom/src/github.com/danielmiessler/SecLists/Passwords/rockyou.txt', 'r');
	if (!$fh) die('wat');
	while(true) {
	$test = trim(fgets($fh));

	if (md5(md5($test)) == $newhash){
	echo "Password: ". $test.PHP_EOL;
	break;
	}
	}
	fclose($fh);

	// This is crazy! Hurrah for brute force!
	// Confirmation:
	if (md5(md5('thisiscrazy')) == $newhash) {
	echo "You're an Evil man, Jobert.";
	}