Tags: web 

Rating: 4.0

If you'll look at the source of the login, you'll notice that it's a simple JS code. Simpliy run the code without http.createServer(function (req, res) function. So it would look like:

const crypto = require('crypto');

var _0x86d1=["\x68\x65\x78","\x72\x61\x6E\x64\x6F\x6D\x42\x79\x74\x65\x73"];

function generatePart1() {
        return
                 {
                         x: crypto[_0x86d1[1]](8)

                 }[x].toString(_0x86d1[0]);
}
function generatePart2() {
        return [+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]];
}

    passwd = generatePart1() + generatePart2();
    console.log(passwd)

This will give you undefined1337 and entering this as a password you'll get flag{W0w_1_gu3ss_th1s. This is one of the three part.

Now moving to login2. It's a PHP and on line 4 we see if (hash("md5", $_GET['passwd']) == '0e514198428367523082236389979035') meaning whatever our password is hashed and then compared to the given hash i.e 0e514198428367523082236389979035 so all we have to do is reverse the hash. Just go on this and boom you'll get R3>M=. This password will give you t0_be_4_pr3tty_.

Going on Login3 we see it's flask server. The thing to be noted here is line 19 and 20 i.e

        assert(len(passwd) == 3)
        assert(passwd.isdigit())

This mean our passwd must be of length 3 and should only be digit. That's easy to figure out but one thing that can confuse us here is that if password is 3 digit then it will be between 100 - 999. That's not the case here. Number 001 is also a 3 digit number and it's not between 100-999. Okay so now we know what we have to do so we automate boring stuff with python

import os
import requests
for i in range(0, 1000):
        print("TRYING >> ", i)
        url = "http://login3.uni.hctf.fun/?passwd=%03d" % i
        print(os.path.basename(url))
        r = requests.get(url).content
        s = """<html><body><form method="get"><input type="text" name="passwd" value="password"><input type="submit" value="login" /></form></body></html>"""
        if(s != r.decode('utf-8')):
                print(i)
                break

Now this is not the best code but hey it works :)

From above code we get 007. Entering that we get 4_d4mn_l0ng_fl4g} Now combine all the three flags and we get: flag{W0w_1_gu3ss_th1s_t0_be_4_pr3tty_4_d4mn_l0ng_fl4g}