I've come up with an extremely secure(tm) way to store my password, noone will be able to reverse it! I've hashed it with md5 100 times, then sha256 100 times, then sha512 100 times! There's no way you're going to be able to undo it >:3 I'll even tell you it was in the RockYou database, and the password is 10 characters long, that's how confident I am!
The flag is in the format: swampCTF{RockYouPassword}
As a reminder, please don't flood our infrastructure with guesses.
Hashed Password (Flag): f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc
Note: The entire flag (swampCTF{rockyoupassword}) was hashed to get the provided hash, not just rockyoupassword
Before we start taking active steps on the task, let's figure out what and how. It is noted that a certain password from "rockyou.txt", which is 10 characters long, was inserted into the "swampCTF{}" flag, and then the flag with the password was hashed. The hashing order is as follows: 100 times md5 -> 100 times sha256 -> 100 times sha512. Obviously, going through the hashes is incredibly long and impractical. Therefore, you can do the following: extract all 10-character passwords from "rockyou.txt", hash them in the order described above, and check whether the resulting hashes match the given hash "f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc".
Let's write the following code in Python:
import hashlib
def multihash(password):
s = f"swampCTF{{{password}}}".encode('utf-8')
# MD5 100 times
for _ in range(100):
md5 = hashlib.md5()
md5.update(s)
s = md5.digest()
# SHA256 100 times
for _ in range(100):
sha256 = hashlib.sha256()
sha256.update(s)
s = sha256.digest()
# SHA512 100 times
for _ in range(100):
sha512 = hashlib.sha512()
sha512.update(s)
s = sha512.digest()
return s.hex()
target_hash = "f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc"
# we read rockyou.txt from current directory, take all passwords with length == 10, and then compute hash for each pass and compare with our target hash
with open('rockyou.txt', 'r', errors='ignore') as f:
for line in f:
password = line.rstrip('\n') # Only remove the newline character
if len(password) == 10:
computed_hash = multihash(password)
if computed_hash == target_hash:
print(f"Found password: {password}")
print(f"Flag: swampCTF{{{password}}}")
exit()
print("Password not found in the rockyou.txt dataset or there was an error...")
Code is simple enough.We loop through each password, and if it is 10 characters long, we call the function "multihash()" to calculate 300 hashes. If the computed hash is equals to target hash - that's our flag!
Found password: secretcode
Flag: swampCTF{secretcode}
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
P4rad0x |
| Read writeup |
not rated
|
V4L1D4T0R |
