Tags: web pcap hash cookies 


> People seem to have some doohickey that lets them login with a code...

Again, we have the same PCAP.

There are 4 instances, where a POST request is sent to `/staff.html` with a `passcode` using the following values:

5004f47a 01c7aeb1 097b3acf 54f03ae2

Unfortunately, just replaying those values causes an error message, even if the `WifiKey nonce` cookie is set like in the capture.

One notices, that in the browser an additional cookie called `WifiKey alg` (with a value of `SHA1`) is set, which is not present in the capture.

Analysing the package from the capture which used `WifiKey nonce=MjAyMC0wNC0wOCAxNzowMw==` and the passcode `097b3acf`, we can decode the nonce and findo out how the passcode is created:

echo "MjAyMC0wNC0wOCAxNzowMw=="|base64 -d
2020-04-08 17:03
echo -n "MjAyMC0wNC0wOCAxNzowMw=="|sha1sum
097b3acf84e6ed9e66f285cf3750b4ff89da48dc -

So all we gotta do is open the webpage, grep the nonce we retrieve, hash it with SHA-1 and send the first 8 characters as the passcode. As long as we do this within one minute, we get the flag:

Flag: **DawgCTF{k3y_b@s3d_l0g1n!}**