PicoCTF - keygenme-py - Reverse

-
pico

Looking at the keygenme-trial.py

Instead of running the script right away, it is best practice to read the source code, right?

username_trial = "GOUGH"
bUsername_trial = b"GOUGH"

key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_"
key_part_dynamic1_trial = "xxxxxxxx"
key_part_static2_trial = "}"
key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

This will be obvious later, next of course the flag! Or here it is called the key. It is comprised of two static parts, and a dynamic part:

key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

Great… maybe we can have a look at how the dynamic part is generated?
Dynamic key

To check the validity of the dynamic key, the following function is used :

def check_key(key, username_trial):

    global key_full_template_trial

    if len(key) != len(key_full_template_trial):
        return False
    else:
        # Check static base key part --v
        i = 0
        for c in key_part_static1_trial:
            if key[i] != c:
                return False

            i += 1

First, check if the key is even long enough! After that check if we have the 1st static part correct (we can copy and paste, right?). Now the iterator i is at our dynamic part, and here is the if tree that checks our dynamic key:
These are the our varibles.

       # TODO : test performance on toolbox container
       # Check dynamic part --v
       if key[i] != hashlib.sha256(username_trial).hexdigest()[4]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[5]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[3]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[6]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[2]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[7]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[1]:
           return False
       else:
           i += 1

       if key[i] != hashlib.sha256(username_trial).hexdigest()[8]:
           return False



       return True

This is how our licence key checked. we have a bunch of indexes: 4,5,3,6,2,7,1,8. How do we use these? Well first a sha256 hash of the username is ‘GOUGH’ calculated and then we pick the corresponding character. This is pretty easy to script.

#! /usr/bin/env/ python3
import hashlib

key_part_static1_trial = "picoCTF{1n_7h3_|<3y_of_"
key_part_dynamic1_trial = "xxxxxxxx"
key_part_static2_trial = "}"
key_full_template_trial = key_part_static1_trial + key_part_dynamic1_trial + key_part_static2_trial

username = b"GOUGH"
potential_dynamic_key = ""
Indexes = [4,5,3,6,2,7,1,8]

for I in Indexes:
	potential_dynamic_key += hashlib.sha256(username).hexdigest()[I]

key = key_part_static1_trial + potential_dynamic_key + key_part_static2_trial
print(key)

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t...
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht...
Read more

Nmap - TryHackMe!

-
Image
nmap Task 2 What networking constructs are used to direct traffic to the right application on a server? ports How many of these are available on any network-enabled computer? 65535 [Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)? 1024 Task 3 What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)? -sS Which switch would you use for a “UDP scan”? -sU If you wanted to detect which operating system the target is running on, which switch would you use? -O Nmap provides a switch to detect the version of the services running on the target. What is this switch? -sV The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity? -v Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two? (Note: it’s highly advisable to a...
Read more