0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Day 11

Daily Crypto CTF Advent Calendar 2025

@potyamaaaa

picoCTF2025: hashcrack Writeup

Posted at

hashcrack

authored by Nana Ama Atombo-Sackey

A company stored a secret message on a server which got breached due to the admin using weakly hashed passwords. Can you gain access to the secret stored within the server?

解法

解くだけだったら、下記サイトでいけます。
https://crackstation.net/
が、せっかくなら知識をつけるためにもhashcatもどきをhashlibを用いて実装してみましょう。

最初は以下のように生成されます。

Welcome!! Looking For the Secret?

We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38
Enter the password for identified hash:

hashの長さは32であることからハッシュアルゴリズムはMD5であることがわかります。後は、rockyou.txtで総当りすればデてくるでしょう。

from pwn import *
import hashlib

HOST = "verbal-sleep.picoctf.net"
PORT = 60196

def check_algo(hash):
    n = len(hash)
    if n == 32:
        return "md5"
    raise ValueError(f"Unsupported hash length: {n}")
    
def hashcrack(algo, hash):
    if algo == "md5":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.md5(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
io = remote(HOST, PORT)
io.recvuntil(b"We have identified a hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for identified hash: ", hashcrack(check_algo(hash), hash))
io.interactive()

実行すると、以下が表示されます。

Correct! You've cracked the MD5 hash with no secret found!

Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3
Enter the password for the identified hash:

次の長さは40なので、SHA1です。同様に実装しましょう。

from pwn import *
import hashlib

HOST = "verbal-sleep.picoctf.net"
PORT = 60196

def check_algo(hash):
    n = len(hash)
    if n == 32:
        return "md5"
    if n == 40:
        return "sha1"
    raise ValueError(f"Unsupported hash length: {n}")
    
def hashcrack(algo, hash):
    if algo == "md5":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.md5(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
    if algo == "sha1":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.sha1(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
io = remote(HOST, PORT)

io.recvuntil(b"We have identified a hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for identified hash: ", hashcrack(check_algo(hash), hash))

io.recvuntil(b"Crack this hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for the identified hash: ", hashcrack(check_algo(hash), hash))


Correct! You've cracked the SHA-1 hash with no secret found!

Almost there!! Crack this hash: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745
Enter the password for the identified hash:

最後は64の長さです。これは、SHA256なので、同様に実装したら良いでしょう。
以上がSolverです。

from pwn import *
import hashlib

HOST = "verbal-sleep.picoctf.net"
PORT = 60196

def check_algo(hash):
    n = len(hash)
    if n == 32:
        return "md5"
    if n == 40:
        return "sha1"
    if n == 64:
        return "sha256"
    raise ValueError(f"Unsupported hash length: {n}")
    
def hashcrack(algo, hash):
    if algo == "md5":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.md5(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
    if algo == "sha1":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.sha1(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
    if algo == "sha256":
        with open("./rockyou.txt", "r") as f:
            for password in f:
                password = password.strip()
                hashed_password = hashlib.sha256(password.encode()).hexdigest()
                if hashed_password == hash:
                    print(f"Found: {password}")
                    return password
io = remote(HOST, PORT)

# Stage1
io.recvuntil(b"We have identified a hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for identified hash: ", hashcrack(check_algo(hash), hash))

# Stage2
io.recvuntil(b"Crack this hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for the identified hash: ", hashcrack(check_algo(hash), hash))

# Stage3
io.recvuntil(b"Crack this hash: ")
hash = io.recvline().strip().decode()

io.sendlineafter(b"Enter the password for the identified hash: ", hashcrack(check_algo(hash), hash))
io.interactive()

Flag: picoCTF{UseStr0nG_h@shEs_&PaSswDs!_93e052d7}

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?