Tags: web 

Rating: 4.0

If you'll look at the source of the login, you'll notice that it's a simple JS code. Simpliy run the code without `http.createServer(function (req, res)` function. So it would look like:

const crypto = require('crypto');

var _0x86d1=["\x68\x65\x78","\x72\x61\x6E\x64\x6F\x6D\x42\x79\x74\x65\x73"];

function generatePart1() {
x: crypto[_0x86d1[1]](8)

function generatePart2() {
return [+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]];

passwd = generatePart1() + generatePart2();

This will give you `undefined1337 ` and entering this as a password you'll get `flag{W0w_1_gu3ss_th1s`. This is one of the three part.

Now moving to login2. It's a PHP and on line 4 we see ` if (hash("md5", $_GET['passwd']) == '0e514198428367523082236389979035')` meaning whatever our password is hashed and then compared to the given hash i.e `0e514198428367523082236389979035` so all we have to do is reverse the hash. Just go on [this](https://www.md5online.org/) and boom you'll get `R3>M=`. This password will give you ` t0_be_4_pr3tty_`.

Going on Login3 we see it's flask server. The thing to be noted here is line 19 and 20 i.e

assert(len(passwd) == 3)
This mean our passwd must be of length 3 and should only be digit. That's easy to figure out but one thing that can confuse us here is that if password is 3 digit then it will be between 100 - 999. That's not the case here. Number `001` is also a 3 digit number and it's not between 100-999. Okay so now we know what we have to do so we `automate boring stuff with python`

import os
import requests
for i in range(0, 1000):
print("TRYING >> ", i)
url = "http://login3.uni.hctf.fun/?passwd=%03d" % i
r = requests.get(url).content
s = """<html><body><form method="get"><input type="text" name="passwd" value="password"><input type="submit" value="login" /></form></body></html>"""
if(s != r.decode('utf-8')):

Now this is not the best code but hey it works :)

From above code we get `007`. Entering that we get ` 4_d4mn_l0ng_fl4g}`
Now combine all the three flags and we get: `flag{W0w_1_gu3ss_th1s_t0_be_4_pr3tty_4_d4mn_l0ng_fl4g}`