Tags: cryptography 

Rating: 4.0

# SALTY

```
Our l33t hackers hacked a bulletin board and gained access to the database. We need to find the admin password.

The users database info is:

Username:admin

Passwordhash:2bafea54caf6f8d718be0f234793a9be

Salt:04532@#!!

We know from the source code that the salt is put AFTER the password, then hashed. We also know the user likes to use lowercase passwords of only 5 characters long.

The flag is the plaintext password.
```

By looking at the hash length the hashing function must be md5
lets write a python bruteforce code

```python
import itertools
import hashlib
import string

pwd_hash = '2bafea54caf6f8d718be0f234793a9be'
salt = b'04532@#!!'

for key in itertools.product(string.ascii_lowercase,repeat=5):
key = ''.join(key).encode()
if hashlib.md5(key+salt).hexdigest() == pwd_hash:
print('key =',key.decode())
break
```

Response :

```
key = 'brute'
```

flag : `brixelCTF{brute}`

Original writeup (https://github.com/Pynard/writeups/blob/main/2020/BRIXEL/challenges/salty.md).