Break the PIN

h57xiucj2z946q · 22-09-2011 8:51pm #1

Just for fun, just a simple game. Not suited for everyone. Will require a little programming experience.

Object: Break the Pin code to access the secure area.

http://damo.clanteam.com/pin/

- Hosted on free web hosting so NO scanning/brute forcing/hammering.
- no SQLi, php, apache, xss hacks needed.

Enjoy.

Spaces · 22-09-2011 11:56pm

Got it in the end , it was something simple I overlooked (always the case). I'll post an encrypted link to the solution here with the pin as the answer so those who have solved it can view it. https://pastee.org/yruqy

h57xiucj2z946q · 23-09-2011 12:46pm

Spaces wrote: »

Got it in the end , it was something simple I overlooked (always the case). I'll post an encrypted link to the solution here with the pin as the answer so those who have solved it can view it. https://pastee.org/yruqy

Alternate one here:
https://pastee.org/72z56

scotty_irish · 23-09-2011 1:08pm

does this involve decoding the partial md5 and sha strings?or am I going about this the complete wrong way?

h57xiucj2z946q · 23-09-2011 1:23pm

scotty_irish wrote: »

does this involve decoding the partial md5 and sha strings?or am I going about this the complete wrong way?

Think thats the wrong way dude. Try figure out the what input criteria may satisfy the conditions. Does that make things easier?

h57xiucj2z946q · 23-09-2011 5:09pm

aydiosmio's solution:
https://pastee.org/bp8uk

h57xiucj2z946q · 23-09-2011 9:22pm

Nice solution by Pilate:
https://pastee.org/cdds8

h57xiucj2z946q · 23-09-2011 10:43pm

kw's solution:
https://pastee.org/27d6y

h57xiucj2z946q · 23-09-2011 10:46pm

peann's:
https://pastee.org/kj779

dlofnep · 23-09-2011 10:48pm

It's interesting to see the vast array of solutions to it. There's no one correct answer.

Handy enough, just had issues with whitespaces that I had not anticipated

axiom · 24-09-2011 11:05am

would love to know where to learn this stuff !

h57xiucj2z946q · 24-09-2011 11:34am

Sigtran:
https://pastee.org/g6wt

obviousTroll · 24-09-2011 12:38pm

obviousTroll is obvious.

https://pastee.org/hkhe8

robfitz · 24-09-2011 2:56pm

https://pastee.org/hf89

scotty_irish · 24-09-2011 7:09pm

i just used a sledgehammer to crack a nut but it worked. copious amounts of badly written c++ combined with some bash. looking at others much more elegant solutions makes me sick. f*ck it, i'm a civil engineer!

h57xiucj2z946q · 24-09-2011 7:16pm

scotty_irish wrote: »

i just used a sledgehammer to crack a nut but it worked. copious amounts of badly written c++ combined with some bash. looking at others much more elegant solutions makes me sick. f*ck it, i'm a civil engineer!

haha well done.

Spaces · 24-09-2011 7:58pm

Cheers for that little challenge Damo. Its good to keep the brain active. It'll take me a while before I can try some of the infosec challenges. I have to read up on some stuff first. Its interesting to see others solutions all the same .

h57xiucj2z946q · 24-09-2011 11:49pm

nivekd:
https://pastee.org/92sfd

edmund_f · 26-09-2011 1:38pm

emf

https://pastee.org/snmex

h57xiucj2z946q · 30-09-2011 12:24pm

Would be interesting of people came up with their own challenges also. If hosting is a problem, let me know.

syklops · 01-10-2011 11:59am

Wow that was awesome! Thanks Damo.

Im just learning python and so thought this would be a good homework exercise to implement what I have learnt. Im starting to love python more and more, considering how quickly I was able to write my sledgehammer of an answer.

My solution is here: https://pastee.org/uatq8

Lea Agreeable Typography wrote: »

Would be interesting of people came up with their own challenges also. If hosting is a problem, let me know.

I was at the SANS security training last week and took part in their "Capture the flag" tournament. Unfortunately, I came a rather disappointing 32 out of 90, but it gave me some ideas for a similar challenge. Partly just for the fun of it, and partly so I can practice for next year

The way it worked was, you had a list of questions on a website, the answer to each question was an MD5 hash of the answer. It started off pretty basically with a question like: "What is the kernel version of this machine?". To get the answer you would do:

echo -n `uname -r` | md5sum

It then progressed to the next level where you had to crack the root password and submit the hash of that, and then go on to take over other machines on the network.

I couldnt do something as sophisticated as that myself, but I am thinking of putting together a similar challenge. Would there be interest in it?

Anyway, now thats finished, its time for breakfast.

h57xiucj2z946q · 01-10-2011 1:09pm

syklops wrote: »
Wow that was awesome! Thanks Damo.

Im just learning python and so thought this would be a good homework exercise to implement what I have learnt. Im starting to love python more and more, considering how quickly I was able to write my sledgehammer of an answer.

My solution is here: https://pastee.org/uatq8

I was at the SANS security training last week and took part in their "Capture the flag" tournament. Unfortunately, I came a rather disappointing 32 out of 90, but it gave me some ideas for a similar challenge. Partly just for the fun of it, and partly so I can practice for next year

The way it worked was, you had a list of questions on a website, the answer to each question was an MD5 hash of the answer. It started off pretty basically with a question like: "What is the kernel version of this machine?". To get the answer you would do:
echo -n `uname -r` | md5sum
It then progressed to the next level where you had to crack the root password and submit the hash of that, and then go on to take over other machines on the network.

I couldnt do something as sophisticated as that myself, but I am thinking of putting together a similar challenge. Would there be interest in it?

Anyway, now thats finished, its time for breakfast.

I'd be interested in that yeah.

dlofnep · 01-10-2011 1:22pm

We will be hosting a capture the flag challenge in WIT at some point next year.

syklops · 01-10-2011 11:39pm

dlofnep wrote: »

We will be hosting a capture the flag challenge in WIT at some point next year.

WIT is Wexford/Waterford/Wicklow IT(select one)?

Will it be open to remote contestants? If not, please PM me with info when you know them, as I need to book flights

.

dlofnep · 03-10-2011 9:31am

Waterford

Will post the details of it long before we host it, don't worry.

pacquiao · 03-10-2011 5:14pm

i'd like to know how this was done, anyone care to give me a password to view the ways people did this?

dlofnep · 03-10-2011 5:58pm

As soon as the challenge is over, I'll post an explanation to how I defeated it..

h57xiucj2z946q · 05-10-2011 9:03am

I think you can post a solution, it doesn't look like more are trying it.

syklops · 05-10-2011 10:11am

Lea Agreeable Typography wrote: »

I think you can post a solution, it doesn't look like more are trying it.

Im showing it to a couple of my colleagues, so maybe hold off on posting the solution just yet.

dlofnep · 05-10-2011 11:02am

Well, here is my solution. The first thing I did was looked at the source code of Damo's webpage to see how exactly he was authenticating the user.

<!--
		function verifypin(pin) {
		
			if ((pin.length != 7) || isNaN(pin)) {
				alert('Please enter a valid pin consisting numbers only. 7 digits long.');
			} else {
				var md5 = MD5(pin);
				var sha1 = SHA1(pin);
				var sha256 = SHA256(pin);
				
				if ((md5.substr(30,2) == "5a") && (sha1.substr(0,2) == "f1") && (sha256.substr(30,2) == "91")) {
					location.href = "http://damo.clanteam.com/pin/" + pin + ".php";
				} else {
					alert('ACCESS DENIED!');
				}
				
			}			
		}
	//-->

The first thing that is evident is that the pin must be 7 characters long, and must be numerical. So the first thing I did was create a tiny script to generate a wordlist with all possible 7 digit pin combinations.

The second part of Damo's script checks 3 values. The 3 values are substrings of 3 different hashes of the actual login pin. The script checks 2 characters in specific positions of the 3 different hashes to see if they meet the criteria.

If you're not familiar with how substring works, read this: http://www.w3schools.com/jsref/jsref_substring.asp

Therefore, it seemed logical for me to check for those exact same characters in the exact same positions, using the same hash algorithms. If all 3 hash values of a specific pin matched Damo's values - then I knew that it must be the correct pin. The script itself simply looped through all the pin values, checked if the MD5 substring matched - is so, it generated the SHA1 substring and checked if it matched, if so - it moved on and checked if the SHA256 value matched - if it did, it printed the pin.

My code:

<?php
$dictFile = "numbers.txt";
$fh = fopen($dictFile, 'r');
$filesize = filesize($dictFile);
$data = fread($fh, $filesize);
fclose($fh);

$word = explode(",", $data);

for($i = 0; $i < count($word); $i++){
  $md5 = md5($word[$i]);
  if(substr($md5,30,2) == "5a"){
    // true
	$sha1 = sha1($word[$i]);
    if(substr($sha1, 0,2) == "f1"){
	  //true
	  $sha256 = hash('sha256', $word[$i]);
	  if(substr($sha256,30,2) == "91"){
	    // true
	    echo $word[$i] . "<br>";
	  }
	}
  }

}

?>

PeterHughes · 05-10-2011 11:07am

I went for the sledgehammer approach, very interested in how others cracked it.

endz · 05-10-2011 12:20pm

https://pastee.org/rjp6m

syklops · 05-10-2011 12:52pm

endz wrote: »

https://pastee.org/rjp6m

Well you get the award for the one liner solution.

dlofnep · 05-10-2011 1:51pm

endz wrote: »

https://pastee.org/rjp6m

The reason I didn't start with 1000000 is because the pin in theory could have beginning with a 0.

pacquiao · 05-10-2011 6:51pm

pity nobody hardly comments their code

dlofnep · 05-10-2011 6:55pm

pacquiao wrote: »

pity nobody hardly comments their code

Only a few lines of code dude

Hardly worth commenting.

pacquiao · 05-10-2011 7:17pm

dlofnep wrote: »

Only a few lines of code dude Hardly worth commenting.

Would be nice to know a few things in English.

For example. you have a loop with a variable 0 which incs each time the loops is ran. the md5 function is hashing the variable? and checking it against an char?? Might help us beginners.

dlofnep · 05-10-2011 7:41pm

With mine, I created a wordlist which looked like this:

0000000, 0000001, 0000002, 0000003.........etc 9999998, 99999999.

So I load the wordlist which contains this into a variable called $data. I then use the explode() function to create an array of all of the numbers, i separated them with the comma.

$word = explode(",", $data);

So if I am looping - on the first iteration..

$word[0] = "00000000"
$md5 = md5($word[$i])
$md5 will equal "dd4b21e9ef71e1291183a46b913ae6f2"

I then check if the substring of the MD5 matches what Damo wants:

My first substring is: substr($md5,30,2) = "f2"

It doesn't match what Damo wants, so it skips back to the start of the loop - it keeps doing this until my MD5 substring is equal to "5a". When it is, it will then check the SHA1 substring to see if it matches... Etc...

It goes on and does this until all 3 substrings of the 3 hash values of whatever digits we are on will match what Damo requires which is:

MD5 substring will be: 5a
SHA1 substring will be: f1
SHA256 substring will be: 91

pacquiao · 05-10-2011 9:17pm

That's very nice of you to post a very detailed analysis into what your code is doing.

$word[0] = "00000000" is this

is this just 4 bytes?00000000

dlofnep · 05-10-2011 9:28pm

pacquiao wrote: »
That's very nice of you to post a very detailed analysis into what your code is doing.
$word[0] = "00000000" is this
is this just 4 bytes?00000000

No, sorry - that is supposed to be 7 0's.

Break the PIN

Comments