picoCTF General Skills Guide

here's how to solve PW Crack 4

Back to the General Skills Guides

PW Crack 4

Name: PW Crack 4
Description: Can you crack the password to get the flag? Download the password checker here and you'll need the encrypted flag and the hash in the same directory too. There are 100 potential passwords with only 1 being correct. You can find these by examining the password checker script.
Author: LT 'syreal' Jones
Tags: Medium, General Skills, Beginner picoMini 2022, password_cracking, hashing
Challenge from: Beginner picoMini 2022
Files: level4.py, level4.flag.txt.enc, level4.hash.bin
Hints:
1. A for loop can help you do many things very quickly.
2. The str_xor function does not need to be reverse engineered for this challenge.

Theory

According to the description, to get the flag we have to know what password it is to get the original flag, since it has been encoded in what seems to be XOR encryption, which is reversible by itself, which is a really cool cryptographic method that I use often to encrypt some of my messages. Anyways, now there's even more possibilities, which doesn't really matter because the loop we made earlier works with whatever amount of items the array has, so we'll just pluck that in and should be fine.

Solution

Let's download the files into a same folder, and see what the python has (I've removed the XOR part and the hashing parts because it's a little in the way, but you still need it in the code for it to work):

flag_enc = open('level4.flag.txt.enc', 'rb').read()
correct_pw_hash = open('level4.hash.bin', 'rb').read()

def level_4_pw_check():
    user_pw = input("Please enter correct password for flag: ")
    user_pw_hash = hash_pw(user_pw)
    
    if( user_pw_hash == correct_pw_hash ):
        print("Welcome back... your flag, user:")
        decryption = str_xor(flag_enc.decode(), user_pw)
        print(decryption)
        return
    print("That password is incorrect")

level_4_pw_check()

pos_pw_list = ["158f", "1655", "d21e", "4966", "ed69", "1010", "dded", "844c", "40ab", "a948", "156c", "ab7f", "4a5f", "e38c", "ba12", "f7fd", "d780", "4f4d", "5ba1", "96c5", "55b9", "8a67", "d32b", "aa7a", "514b", "e4e1", "1230", "cd19", "d6dd", "b01f", "fd2f", "7587", "86c2", "d7b8", "55a2", "b77c", "7ffe", "4420", "e0ee", "d8fb", "d748", "b0fe", "2a37", "a638", "52db", "51b7", "5526", "40ed", "5356", "6ad4", "2ddd", "177d", "84ae", "cf88", "97a3", "17ad", "7124", "eff2", "e373", "c974", "7689", "b8b2", "e899", "d042", "47d9", "cca9", "ab2a", "de77", "4654", "9ecb", "ab6e", "bb8e", "b76b", "d661", "63f8", "7095", "567e", "b837", "2b80", "ad4f", "c514", "ffa4", "fc37", "7254", "b48b", "d38b", "a02b", "ec6c", "eacc", "8b70", "b03e", "1b36", "81ff", "77e4", "dbe6", "59d9", "fd6a", "5653", "8b95", "d0e5"]

Now we have even more options, as I said earlier, we'll use the same for loop because the amount of stuff in the array doesn't matter since it loops through all of them (I'll also print the current password on the incorrect or correct thing):

flag_enc = open('level4.flag.txt.enc', 'rb').read()
correct_pw_hash = open('level4.hash.bin', 'rb').read()

def level_4_pw_check(pos_pw_list):
  for item in pos_pw_list:
    user_pw = item
    user_pw_hash = hash_pw(user_pw)
    
    if( user_pw_hash == correct_pw_hash ):
        print(item, "flag:")
        decryption = str_xor(flag_enc.decode(), user_pw)
        print(decryption)
        return
    print(item, "is incorrect")

pos_pw_list = ["158f", "1655", "d21e", "4966", "ed69", "1010", "dded", "844c", "40ab", "a948", "156c", "ab7f", "4a5f", "e38c", "ba12", "f7fd", "d780", "4f4d", "5ba1", "96c5", "55b9", "8a67", "d32b", "aa7a", "514b", "e4e1", "1230", "cd19", "d6dd", "b01f", "fd2f", "7587", "86c2", "d7b8", "55a2", "b77c", "7ffe", "4420", "e0ee", "d8fb", "d748", "b0fe", "2a37", "a638", "52db", "51b7", "5526", "40ed", "5356", "6ad4", "2ddd", "177d", "84ae", "cf88", "97a3", "17ad", "7124", "eff2", "e373", "c974", "7689", "b8b2", "e899", "d042", "47d9", "cca9", "ab2a", "de77", "4654", "9ecb", "ab6e", "bb8e", "b76b", "d661", "63f8", "7095", "567e", "b837", "2b80", "ad4f", "c514", "ffa4", "fc37", "7254", "b48b", "d38b", "a02b", "ec6c", "eacc", "8b70", "b03e", "1b36", "81ff", "77e4", "dbe6", "59d9", "fd6a", "5653", "8b95", "d0e5"]

level_4_pw_check(pos_pw_list)

Now just execute it and we should be good to go:

C:\Users\shukularuni\Documents\pwc\lvl4>python level4.py
158f is incorrect
1655 is incorrect
d21e is incorrect
4966 is incorrect
...
59d9 is incorrect
fd6a is incorrect
5653 is incorrect
8b95 flag:
picoCTF{fl45h_5pr1ng1ng_cf341ff1}

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/248

Explore My Website