HASHed

This challenge gives us the following description:

Come on, brute force it!

and a webpage that just has the text “Not here”

If you inspect element this page you will get this:

<html>
    <head>
        <!--/secr3t-dir-->
    </head>
    <body>
        <h1><center>Not here</center></h1>
    </body>
</html>

After visiting the page from the comment we get a file that has the following text:

The hash format is: sha256 The hash to brute force is: 9d30b043b90e6ef7c56a4bfc2391a6216b2d8af391d8d89c2c92967adead5a57 after you read this delete it so you can have only the dictionary:)

followed by a lot of base64 strings. After making a Python script that decodes the string, calculates the sha256 checksum, and compares it with the given checksum the script didn’t find the right string, but it turns out that the checksum is for the base64 string, not the decoded string, so after tweaking the code we are left with this:

import base64
import hashlib

hash = "9d30b043b90e6ef7c56a4bfc2391a6216b2d8af391d8d89c2c92967adead5a57"

def brute():
    file1 = open('/home/cshark/Videos/dictionary.txt', 'r')
    lines = file1.readlines()

    for line in lines:
        password = base64.b64decode(line)
        pass_hash = hashlib.sha256(line.encode('utf-8').replace(b"\n", b""))
        print("password:" + password.decode('utf-8') + "; password hash:" + pass_hash.hexdigest())
        print("------------------------------------------------------------------------")
        if pass_hash.hexdigest() == hash:
            print("Password found: " + password.decode('utf-8'))
            return

if __name__ == '__main__':
    brute()

which finds the flag: Password found: abso_tech{seCreT_PaSs_HaShEd} and that concludes this challenge.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.