Tags: web

Rating: 4.0

If you'll look at the source of the login, you'll notice that it's a simple JS code. Simpliy run the code without http.createServer(function (req, res) function. So it would look like:

const crypto = require('crypto');

var _0x86d1=["\x68\x65\x78","\x72\x61\x6E\x64\x6F\x6D\x42\x79\x74\x65\x73"];

function generatePart1() {
return
{
x: crypto[_0x86d1[1]](8)

}[x].toString(_0x86d1[0]);
}
function generatePart2() {
return [+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]];
}

passwd = generatePart1() + generatePart2();
console.log(passwd)

This will give you undefined1337  and entering this as a password you'll get flag{W0w_1_gu3ss_th1s. This is one of the three part.

Now moving to login2. It's a PHP and on line 4 we see  if (hash("md5", \$_GET['passwd']) == '0e514198428367523082236389979035') meaning whatever our password is hashed and then compared to the given hash i.e 0e514198428367523082236389979035 so all we have to do is reverse the hash. Just go on [this](https://www.md5online.org/) and boom you'll get R3>M=. This password will give you  t0_be_4_pr3tty_.

Going on Login3 we see it's flask server. The thing to be noted here is line 19 and 20 i.e

assert(len(passwd) == 3)
assert(passwd.isdigit())
This mean our passwd must be of length 3 and should only be digit. That's easy to figure out but one thing that can confuse us here is that if password is 3 digit then it will be between 100 - 999. That's not the case here. Number 001 is also a 3 digit number and it's not between 100-999. Okay so now we know what we have to do so we automate boring stuff with python

import os
import requests
for i in range(0, 1000):
print("TRYING >> ", i)
From above code we get 007. Entering that we get  4_d4mn_l0ng_fl4g}
Now combine all the three flags and we get: flag{W0w_1_gu3ss_th1s_t0_be_4_pr3tty_4_d4mn_l0ng_fl4g}