Rating:

> People seem to have some doohickey that lets them login with a code...
http://freewifi.ctf.umbccd.io/

Again, we have the same PCAP.

There are 4 instances, where a POST request is sent to /staff.html with a passcode using the following values:

5004f47a 01c7aeb1 097b3acf 54f03ae2

Unfortunately, just replaying those values causes an error message, even if the WifiKey nonce cookie is set like in the capture.

One notices, that in the browser an additional cookie called WifiKey alg (with a value of SHA1) is set, which is not present in the capture.

Analysing the package from the capture which used WifiKey nonce=MjAyMC0wNC0wOCAxNzowMw== and the passcode 097b3acf, we can decode the nonce and findo out how the passcode is created:

bash
echo "MjAyMC0wNC0wOCAxNzowMw=="|base64 -d
2020-04-08 17:03
echo -n "MjAyMC0wNC0wOCAxNzowMw=="|sha1sum
097b3acf84e6ed9e66f285cf3750b4ff89da48dc -


So all we gotta do is open the webpage, grep the nonce we retrieve, hash it with SHA-1 and send the first 8 characters as the passcode. As long as we do this within one minute, we get the flag:

Flag: **DawgCTF{k3y_b@s3d_l0g1n!}**