This is my 1st time doing a writeup, so for any adjustment plz let me know :) The writeups here are presented for education purpose only :) for any comment you can either send it here or to Stone's social accounts directly, though i sometimes take days to reply since i don't open all my social media a lot :)
Here are writeups for some tasks from Oman AMAN ctf
They captured the following sha1 hash, which was used by the hacker:
827d1057ad7258b180efca5e9cc25795a1a5f622
They looked further into the network logs and only found the first few plain characters of the password the hacker used:
Om@nYg
Use your programming skills to brute-force the remaining part of the password, knowing that the system the hacker was able to compromise has the following password requirements:
- Password must not exceed 9 characters
- Must contain lower & capital case characters
- Alphanumeric characters are allowed
- Only * & @ % ^ + _ special characters are allowed
- The password is the flag.
Here we can build a program from scratch that calculates the sha1 hash of Om@nYg and compare it to the given hash, if true then SuGoi!! if not then add characters that follow the password policy given in the task.
In my case I'm a bit lazy to complete such a code, but you can always have a glimpse to Madiox writeup code which is well ordered and neat👌✨.. However, stone solved it in 2 ways:
- using John:
When attempting to Brute Force, we start 1st by adding one input, then if we added all (allowed) inputs and yet didn't reach the matching hash, then we add 2 inputs to the (raw) password that we are brute forcing.
When i tried brute forcing, i started with 3 inputs xD and i got nothing even tho it took more time, so i did it with 2 inputs and i got the following:
- using hashcat:
By following the same approach, but just a little difference regarding the tool we are using:
Stone Aint giving you the result in a golden plate, but in a wooden one >:)
and as you've noticed, we didn't need the hash which they gave us in the task because it was easy since the brute forcing was short with maximum of 3 inputs! otherwise we would probably need to do the code to solve this task. and it's an easy one in python, but stone was lazy to do it.
so here is the code that MADIOX has written, you can save it to a python file and run it:
import string #library that contains ascii chars
import hashlib # Library that contains the SHA1 algorithm that we need
allowed_chars = string.ascii_lowercase + string.ascii_uppercase + string.digits + r'*&@%^+_' # We build the set of all the allowed characters
# Building allowed charset ^^
init_string = r"Om@nYg" # This is the provided password, the r'' means we want a raw input "as-is", it saves us from escaping special characters
target_output= r'827d1057ad7258b180efca5e9cc25795a1a5f622' # This is the target output, the r'' means we want a raw input "as-is", it saves us from escaping special characters
def compare_output(test_string): #We will use a function to evaluate the SHA1 of our string with the target output, the function saves us some code duplication
m = hashlib.sha1() # importing sha1 from hashlib
m.update(test_string.encode("utf-8")) # We loaded our testing string and encode it with UTF-8 to perform the hashing operation
test_output = m.hexdigest() # We calculate the SHA1 hash and save the output in the test_output variable
if test_output == target_output: # We compare our test output with the target output
print("The hash goes YOINK!:\"{}\"".format(test_string)) # In case theres a match - we print this with the value of the secret string.
return True
return False
# First loop for trying all the possible functions for a string with 7 characters (we add one character to the initial string)
for char1 in allowed_chars:
test_string =init_string +char1 # We build our test string with one extra character (7 characters overall)
if compare_output(test_string):
continue
for char1 in allowed_chars:
for char2 in allowed_chars:
test_string =init_string +char1 +char2 # We build our test string with two extra characters (8 characters overall)
if compare_output(test_string): # We send the test string for SHA1 calculation and comparison with the target
continue
I have a ZIP file. Can you brute-force the password to decompress it?
This task is an easy one as well, having some tricks made it enjoyable xD
Anyway, here we have a zip file that needs a passw, you may build a python program to solve it too, but again John saves the day <:)
but before using John tools, it's a better practice to inspect the content of the zip folder. Here I used 7z which is an ideal tool to handle .zip folders:
7z l {location of the .zip folder}
like:
7z l flag.zip
we found out there is only 1 file called flag.txt so to extract it you gotta study how 7z tool work >:)
Now we move on.. John has active passw cracking tools to brute force archives such as .zip and .rar folders, so we gonna use zip2john tool to get the pw of the given zip folder:
And I saved the hashes in a .hash file called zip.hash, noice so far? :) cool
and you probably know why we need to store the hashes in zip.hash that I made... because they are still (hashes) and we need to crack them, so we gonna use John himself ths time to do da cracking, and you know da way >:)
well, this time i will give it away to show off some generosity:
We can see the passw of the .zip folder in the middle of the output, and if buy mistake you closed the terminal, no worries coz this John stores his cracked stuff in a safe place, just use his patterns such as --show to reveal them again without cracking again.
now we got the flag.txt file, and it has the following:
as seeen, the 9th line of the file has a looooong string, and it asks you to pull out the "special characters" since they form up the final flag!
we need a little program to do the job faster. After using my little python program, I found out that there is no speacial characters or numbers, so after looking thoroughly (and stone actually checked it manually), I saw that most chars are small-case, so i modified my little program to get out only upper-case chars, and SuGoi! xD
The python code looks like:
import os
entries = os.listdir('/home/stone/Downloads/AMANctf/scattered/')
with open('/home/stone/Downloads/AMANctf/forgotThePW/flag.txt', 'r') as f:
lines = f.readlines()
f.close()
new_string = ''.join([c for c in str(lines[9]) if c.isupper()]) #in this case if the the char isn't small then it is special because most characters are small.
print(new_string)
To improve security, a script kiddy claimed that he made his password very hard to recognize. Can you help us reveal the password from the attached file?
well, here they gave us a file called ciphered.___ , basically after using the command file ciphered.___ it's just a ASCII text file, but its contents is...
that is how a binary text looks like!
there are many ways to do it, some veteran people use bash script tools like perl or xxd or their own codes, but stone used something veryyyy lazy easy, which is the internet.. <:)
You can find many websites to do a lot of things for you especially when you try to solve CTFs, but as we ALWAYS say, it is a great practice to not rely on these easy ways (and the talk is meant to me as well 🗿💧 )
Anyway, i've used the following website since you can configer your preferred inputs & outputs as you wish: https://cryptii.com/pipes/binary-decoder
as we see in the right side of this online tool (the plain text side), the binary was decoded to give us another unreadable text, this text seems to be encoded with base64 (you will get used to the different types of encryptions with time as you go by solving many CTFs, but if you want an easy tip, just copy and paste the encoded text on google and it mostly gives you a hint in the google results on the encoding method used for your text). Moving on, I decrypt the base64 text using another online tool just to make sure: https://www.base64decode.org/
as seen in the output down in the pic, this time we have a long sequence of digits and some letters they look like sha1 or some similar thing but not really. playing and trying around on them using the 1st online tool that I used, it turned out it's in hexadecimal, so:
and the plain text of it is a set of chars with numbers, this reminds me of the ASCII table, you can check the ascii table down from https://www.dcode.fr/ascii-code and replace the number above to result in the plain final flag:
You were able to intercept a secret message over a telecommunication channel between 2 hackers. We need to decode this message. Can you help us?
Here they gave us a .wav file (voice media file). After playing it, it has no words! just "toot toooot" like ON-OFF signal tones, so it's clear that it is a morse code.
I googled for an online tool to do the job, just to shorten the time, take this link https://morsecode.world/international/decoder/audio-decoder-adaptive.html:
After uploading the .wav file, waited a little until the tool listens to the whole voice, and it gave me a row text (most likely, Hexadecimal) so i decoded it using the usual online tool https://cryptii.com/pipes/binary-decoder:
Using any programming language, create a function to calculate the total sum of all "odd" integers between any two given numbers, under the condition that any sum total ends with 0 will NOT be counted.
For example: the sum of all odd integers between 6 and 18 will be:
7+9=16
16+11=27
27+13=40 (skipped because the total 40 ends with 0 )
27+15=42
42+17=59
Total is 59
Your flag is the total sum of all "odd" integers between 10 and 1000
All I can do here honestly is giving you the code to learn from it:
sum = 0 # storing our special sumation here
while(True):
lower = int(input("enter the lowest number: \n")) # taking a lower input from the user
higher = int(input("enter the hieghest number: \n")) ## taking a higher input from the user
lower1 = lower # storing the value of the lower value
for lower in range(lower,higher+1):
if(lower % 2 != 0): #to sum only odd nums
if( (sum+lower)%10 != 0): #to ignore numbers ending with 0
sum += lower
print("the sum of the odd numbers between "+str(lower1)+" and "+str(higher)+" is: \n"+str(sum)+"\n\n==============")
sum = 0 # resetting the process for any repeating needed
There could be other ways to write even a smaller code, but i did it this way.