This one is similar, but a bit harder than pw-crack-1 and pw-crack-2.
Steps
First I downloaded the files:
level3.py- the scriptlevel3.flag.py.enc- the encrypted flaglevel3.hash.bin- the hash of the encrypted password
As suggested, I've also installed bvi (or "binary vi") from brew (ultimately I didn't need it, but it's good to know such a program exists).
Source code analysis
The source code for this one differed a bit from the previous exercises. Namely - the password that the script asked for was read from the binary file.
To compare what's read from the file with what I put into the script, this function hashed the input string:
def hash_pw(pw_str):
pw_bytes = bytearray()
pw_bytes.extend(pw_str.encode())
m = hashlib.md5()
m.update(pw_bytes)
return m.digest()Also, there was a list of possible passwords and one of them should work.
I could just go one by one and put them in, but it wouldn't be performant, so I decided to open level3.hash.bin in VS Code first and check what's the content. This is what it looked like:
�`E��BC�;���Ϣi�I wrote a simple function that'd iterate over the array of possible passwords and print the hashes for them:
pos_pw_list = ["8799", "d3ab", "1ea2", "acaf", "2295", "a9de", "6f3d"]
for p in pos_pw_list:
print(hash_pw(p))The third hash looked exactly the same as the one in level3.hash.bin:
�;�qlģ�/9��s
+&�A��)HBf�C
�`E��BC�;���Ϣi� // <-- this one
=�9d�=�����1� -
m`��TA
45���&
��秦����=��F��L
��
V�Jx��CR���j...so I just tried the third password from the array and it worked 😁
Note: this time I've had to put it in the prompt without quotes
Flag
picoCTF{m45h_fl1ng1ng_6f98a49f}