Skip to content

Instantly share code, notes, and snippets.

@tomnomnom
Created August 13, 2017 08:36
Show Gist options
  • Save tomnomnom/0bb94f264d9bbcf600f5414a180e6cda to your computer and use it in GitHub Desktop.
Save tomnomnom/0bb94f264d9bbcf600f5414a180e6cda to your computer and use it in GitHub Desktop.
Dump of the script I wrote solving Jobert's CTF (https://twitter.com/jobertabma/status/894066834927796224)
<?php
// OK, so here's the hex from the instructions...
$lines =<<<LINES
7b 0a 20 a0 22 65 76 e5
6e 74 22 ba 20 22 70 e1
73 73 77 ef 72 64 5f e3
68 61 6e e7 65 22 2c 8a
20 20 22 f5 73 65 72 ee
61 6d 65 a2 3a 20 22 e2
63 6f 6c ec 69 6e 22 ac
0a 20 20 a2 6f 6c 64 df
70 61 73 f3 77 6f 72 e4
22 3a 20 a2 3a 5c 78 c3
37 5c 78 c6 34 5c 6e dc
78 41 46 a9 29 37 43 dc
78 31 35 dc 78 44 30 dc
78 46 33 dc 78 44 45 e9
55 3b 22 ac 0a 20 20 a2
6e 65 77 df 70 61 73 f3
77 6f 72 e4 22 3a 20 a2
39 5c 78 c6 41 5c 78 b9
39 5c 78 c3 41 5c 78 c5
44 5c 78 c6 32 58 53 c7
5c 78 44 c4 2d 5c 78 c3
32 5c 78 b8 45 7a 48 eb
22 2c 0a a0 20 22 74 e9
6d 65 73 f4 61 6d 70 a2
3a 20 31 b5 30 31 38 b5
38 38 36 b0 30 30 30 8a
7d 0a
LINES;
// Let's take a look at each byte in binary notation to make
// flipped bits a bit easier to spot.
$str = '';
foreach (explode("\n", $lines) as $line){
$line = trim($line);
$bytes = explode(" ", $line);
foreach ($bytes as $byte){
// When printed out as binary it becomes pretty clear that the MSB has
// been flipped in the 4th and 8th columns... YOU LIED TO ME, JOBERT;
// you said the LSBs had been shifted.
printf("%08b ", intval($byte, 16));
// Let's fix the high MSB and make a urlencoded string out of it.
$str .= sprintf("%%%02X", intval($byte, 16) & 0b01111111);
}
echo PHP_EOL;
}
// We have 'JSON' :)
$json = urldecode($str);
echo $json;
/*
{
"event": "password_change",
"username": "bcollin",
"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
"timestamp": 1501858860000
}
*/
// \xNN sequences?! This isn't valid JSON, Jobert ಠ_ಠ
// I'll just copy and paste the strings like some kind of monster.
$old = ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;";
$new = "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk";
// Oh hey, *reverse* the passwords... I tried reversing the raw bytes first,
// it took me longer than it should have done to bother just revsering the hex string...
// I also tried a ton of other stuff that didn't work, but never mind all of that...
$oldhash = strrev(unpack("H*", $old)[1]);
var_dump($oldhash);
// string(32) "b35596ed3f0d5134739292faa04f7ca3"
// A quick good search reveals it to be md5(md5('p4ssw0rd'))
// That's the old password sorted.
$newhash = strrev(unpack("H*", $new)[1]);
var_dump($newhash);
// string(32) "b684a7e82cd2dd7435852fdeac99af93"
// Google doesn't find a result for this one :(
// Let's try a few things... Thank you, Daniel Miessler...
$fh = fopen('/home/tom/src/github.com/danielmiessler/SecLists/Passwords/rockyou.txt', 'r');
if (!$fh) die('wat');
while(true) {
$test = trim(fgets($fh));
if (md5(md5($test)) == $newhash){
echo "Password: ". $test.PHP_EOL;
break;
}
}
fclose($fh);
// This *is* crazy! Hurrah for brute force!
// Confirmation:
if (md5(md5('thisiscrazy')) == $newhash) {
echo "You're an Evil man, Jobert.";
}
@tomnomnom
Copy link
Author

  1. Printed the hex as binary and spotted the flipped MSBs in every 4th byte
  2. Flipped the bits and tried to decode the JSON, but it wasn't valid JSON
  3. Thought the invalid JSON was some kind of clue and spent far too long trying to figure out what that clue might be
  4. Gave up on that and just copy+pasted the strings into new variables to play with them
  5. Noted they're 128 bits long, didn't think you'd be evil enough to use something obscure like snefru, so I assumed it'd be MD5
  6. Tried and failed to crack the hashes
  7. Went back to the instructions and re-read them several times
  8. Noticed 'reverse both passwords' and decided to take it literally
  9. Messed around with reversing the raw bytes to no avail
  10. Complained about getting stuck in the BBF Slack
  11. Immediately realised I'm an idiot and tried reversing the hex strings instead of the raw bytes
  12. Google got me the old password
  13. Google did not get me the new password
  14. A dictionary and brute-force got me the new password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment