CTFCiberseg17 - Crypto II

Published on:

Crypto II (20pts) write-up
CTF: CIBERSEG 2017
URL: https://ciberseg.uah.es/ctf.html
CAT: crypto

Una de hashes en formato password de la UAH:

Para los no alumnos de la UAH:
El formato de las contraseñas de la UAH es: 3 minúsculas, 1 carácter especial y 4 números.

Nota: el formato de la bandera es 'flag{}'

In this challenge, the following hashed passwords from the UAH are provided:

Hint: format of the passwords is: 3 lowercase, 1 special character, 4 numbers.

Note: flag format is flag{}

(1) HASH IDENTIFICATION

First step is try to identify the hash type. We can use the 'hash-identifier' tool, included in Kali:

We get the same result for the 3 hashes.

(2) BRUTEFORCE ATTACK TO THE SECOND HASH USING HASHCAT

We start a bruteforce attack against the second hash, using the 'hashcat' tool included in Kali and specifying 'SHA1' as hashing algorithm:

Parameters used:

-m 100: SHA1 algorithm (see https://hashcat.net/wiki/doku.php?id=example_hashes)

hashes.txt: file containing the hashes.

Results:

1e230c2310c38677c2d1f9bf358539616f2fd89a:uah#5674

We try the same attack to the other two hashes, using other candidate algorithms, to no avail:

Double SHA1:

sha1(sha1(sha1($pass))) sha1(md5($pass))

MySQL4.1/MySQL5+

We also try permutations using our own custom charsets:

Other combinations:

LLLSDDDD
DDDDSLLL
SLLLDDDD
SDLLLDDD
SDDLLLDD
SDDDLLLD
DLLLSDDD
DDLLLSDD
DDDLLLSD
DDDDLLLS
LLLDDDDS
LLLDDDSD
LLLDDSDD
LLLDSDDD

In the end this approach is too complex and time consuming.

(3) PARTIAL KNOWN PLAINTEXT ATTACK TO THE FIRST HASH

We take advantage of the fact that we know that all flags start with the string 'flag{' to attack the first hash:

Results:

a522c8bf85a95c066bb2a8a85309c5c431652342:flag{

(4) RAINBOW TABLES ATTACK TO THE THIRD HASH

The last character of the last password must be '}' in order to accomplish with the flag format. We don't know whether there are more characters or not, but it is worth trying a Rainbow Tables attack considering the case of only a '}'. Using this online tool:

https://hashkiller.co.uk/md5-decrypter.aspx

We get the following result:

c2b7df6201fdd3362399091f0a29550df3505b6a SHA1 : }

The flag is: