Tribute to Binit Ghimire
Binit Ghimire was an amazing ,talented,and very helpful security researcher with an amazing skillset and knowledge about different stuffs in Infosec field . Few days ago , when we first heard the news of his untimely demise , I was literally shocked as I knew him for more than 5 years and I always used to ask him on everything and it was a great loss for the entire Infosec community . May his soul rest in peace .
You can find his writeups here: https://publish.whoisbinit.me/
I will write manual approach(difficult one) at first and programming based approach at the end(reliable one).
The Challenge:
Lets see what the script.py contains :
I didn’t properly understand the code but after multiple glances at the code, I came to know that the string is rotated and then hashed to md5 value. And yes, as you might have guessed, md5 hashes can’t be decrypted and can only be cracked. I saw the input rotation is an integer so yes the numbers, then I tried fuzzing the numbers from 1 to (length of the string ) and printing it inside the rotate function. Then I tried rotating the string through negative integers. The code snippet looked as,
Then I got some ideas from this source .
Now it’s time to hop into the server and try it . A netcat connection was sent and we were to input the integer and output would be the rotated then md5 hashed value .
So I assumed that the flag was 32 characters long . I tried entering -32.
It gave the md5 value = 18d86af9b3ff7d144983dc1bc13f5c7d . “18d86af9b3ff7d144983dc1bc13f5c7d” is the md5 value of “$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$” (32 dollar signs).
Now we need to fuzz the first character of the 32 dollar signs with some ASCII values then convert all of them to md5 hash and then compare it with the md5 hash given by the server when we enter -31. So I wrote this code to print the strings with 1st character modified to all printable ASCII characters .
The output of the above function which looks like :
Lets generate md5 hashes of all of this now . I used MiracleSalad’s online md5 hash generator to generate hashes from all of this strings and treat them as multiple lines .
I copied them to clipboard and pasted them in Notepad++ . Now we need to compare the md5 hashes with the md5 value which we get after entering -31.
The hash we got this time was “2b31692aa52066c0f4439a540229b39b” which is the md5 value of “}$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$” . We can find this by hitting Ctrl+F in Notepad++ then searching for the hash value and noting the line number and grepping the initial string which was on that line number .
Like this we can then do it all again with the updated string and compare each md5 values until we get a “{“ as the format of the flag is BountyCon{ } ,so we can write BountyCon at the front ourselves and then compare it again with the value got from the nc server.
So we could get the string like this each time then we compare their first characters with md5 value provided by the nc :
We just need to compare the hashes which we obtained from the server with the hashes that we generated by fuzzing the first character of the dollar string each time.
Finally we can get the flag which is BountyCon{why_4re_U_5o_neg471v3}
Yes , we could do it very easily by writing a program to fuzz and generate and compare the md5 hashes but I am weak in programming and I am currently learning it with my best motive as by doing this ctf , I now more realize how important programming is day by day . So if you don’t want to run a process manually multiple times and not waste probably 1 hour to find a 32 character long flag , then learn programming 😀 . It is never a bad idea to learn programming .
Solution.py (the easy and more reliable approach)
If you know programming then you can easily solve this problem by exporting the hashes from the server from -31 to 0 in results.csv file using the following python code :
Programming approach is wayy comfortable and reliable than manual approach . It is difficult to do each step one by one manually . If the length of the flag was more , it would be a lot more difficult to find the flag manually .
Results.csv contains the hashes as follows:
The output of the solution.py is as follows:
We retrieved the flag : BountyCon{why_4re_U_50_neg471v3}
Facebook CTF challenges are awesome . I will try to learn more till the next time and try to find more flags next time . This time I managed to find just 2 flags (Rotohash and so-close) . I guess I was close to Steal No Data and Nonogram but couldn’t manage to solve those 🙁 .
You can follow me on
Twitter : https://twitter.com/kn1ght_yagami
Facebook : https://www.facebook.com/sudipshah505/
Instagram : https://www.instagram.com/sudip_shah_582/
Thank you for taking the time to read my article. Have a great day!
Also Thanks to Ashok dai for reviewing this writeup 😀
#bountycon #bountycon2022 #facebookctf #fbctf #ctf