[Web] Isoar | Midnight Sun CTF Writeup 2018

This one wasn't difficult... just very long.

Firstly, I saw the whole website, in which you wrote a password and it told you some info about it, like its length, the same chars it shared with other passwords, the upper and lowercase letter counts or digits, among other stuff.


Now, you see that tiny grey box in the right bottom corner? When you clicked on it, the admin log in modal appeared.
If you read the description, it said that they had a list of 1000 publicly known passwords, to which they appended theirs, the admin password.

I didn't look further, but in the end it was revealed that the list with 1000 passwords could be found in robots.txt
I just googled a lot, and I found the list that perfectly matched the results that were given in the premium password meter. I checked the passwords with a script I will share at the end.

So for example, if we wrote the word starwars in the password meter:


The fourth character, that is the letter r, appeared in 391 words in the password list. Then I checked the password list I had for words that had the letter r in them.


So if I had 390 words with the letter in them in my local password list, and they had 391 words with that letter, that meant that the admin password had the letter r in it!

I didn't go much further mostly because I was convinced that that wasn't the way to get the password and there was a much more easier way. Boy I was wrong :)
Admins later told me that it just took a looooong long time. *Sigh*

I will leave here my script.

import os

file = os.open("<path_to_list.txt>", os.O_RDWR)
passwords = os.read(file, 99999)
count = 0
char_counter = 0

for n in passwords.splitlines():
    big_list = n.decode("utf-8")
    
    if len(big_list) > 0:
        #if big_list[5] == 'r':
            print ('word: ', big_list + ' length: ', len(big_list))
            count = count + 1
            times_looped = 0
            
            for n in big_list:
                if n == 'r' and times_looped == 0:
                    char_counter = char_counter + 1
                    print('word: ', big_list + ' letter: ', n)
                    times_looped = 1

print("Words in list: ", count)
print("Words with the character: ", char_counter)

Github: https://github.com/tanktacle/scripts/blob/master/length_and_character_count.py

Comments

Popular Posts