Break the PIN

h57xiucj2z946q · 22-09-2011 9:51pm #1

Just for fun, just a simple game. Not suited for everyone. Will require a little programming experience.

Object: Break the Pin code to access the secure area.

http://damo.clanteam.com/pin/

- Hosted on free web hosting so NO scanning/brute forcing/hammering.
- no SQLi, php, apache, xss hacks needed.

Enjoy.

Spaces · 23-09-2011 12:56am

Got it in the end , it was something simple I overlooked (always the case). I'll post an encrypted link to the solution here with the pin as the answer so those who have solved it can view it. https://pastee.org/yruqy

h57xiucj2z946q · 23-09-2011 1:46pm

Spaces wrote: »

Got it in the end , it was something simple I overlooked (always the case). I'll post an encrypted link to the solution here with the pin as the answer so those who have solved it can view it. https://pastee.org/yruqy

Alternate one here:
https://pastee.org/72z56

scotty_irish · 23-09-2011 2:08pm

does this involve decoding the partial md5 and sha strings?or am I going about this the complete wrong way?

h57xiucj2z946q · 23-09-2011 2:23pm

scotty_irish wrote: »

does this involve decoding the partial md5 and sha strings?or am I going about this the complete wrong way?

Think thats the wrong way dude. Try figure out the what input criteria may satisfy the conditions. Does that make things easier?

h57xiucj2z946q · 23-09-2011 6:09pm

aydiosmio's solution:
https://pastee.org/bp8uk

h57xiucj2z946q · 23-09-2011 10:22pm

Nice solution by Pilate:
https://pastee.org/cdds8

h57xiucj2z946q · 23-09-2011 11:43pm

kw's solution:
https://pastee.org/27d6y

h57xiucj2z946q · 23-09-2011 11:46pm

peann's:
https://pastee.org/kj779

dlofnep · 23-09-2011 11:48pm

It's interesting to see the vast array of solutions to it. There's no one correct answer.

Handy enough, just had issues with whitespaces that I had not anticipated

axiom · 24-09-2011 12:05pm

would love to know where to learn this stuff !

h57xiucj2z946q · 24-09-2011 12:34pm

Sigtran:
https://pastee.org/g6wt

obviousTroll · 24-09-2011 1:38pm

obviousTroll is obvious.

https://pastee.org/hkhe8

robfitz · 24-09-2011 3:56pm

https://pastee.org/hf89

scotty_irish · 24-09-2011 8:09pm

i just used a sledgehammer to crack a nut but it worked. copious amounts of badly written c++ combined with some bash. looking at others much more elegant solutions makes me sick. f*ck it, i'm a civil engineer!

h57xiucj2z946q · 24-09-2011 8:16pm

scotty_irish wrote: »

i just used a sledgehammer to crack a nut but it worked. copious amounts of badly written c++ combined with some bash. looking at others much more elegant solutions makes me sick. f*ck it, i'm a civil engineer!

haha well done.

Spaces · 24-09-2011 8:58pm

Cheers for that little challenge Damo. Its good to keep the brain active. It'll take me a while before I can try some of the infosec challenges. I have to read up on some stuff first. Its interesting to see others solutions all the same .

h57xiucj2z946q · 25-09-2011 12:49am

nivekd:
https://pastee.org/92sfd

edmund_f · 26-09-2011 2:38pm

emf

https://pastee.org/snmex

h57xiucj2z946q · 30-09-2011 1:24pm

Would be interesting of people came up with their own challenges also. If hosting is a problem, let me know.

syklops · 01-10-2011 12:59pm

Wow that was awesome! Thanks Damo.

Im just learning python and so thought this would be a good homework exercise to implement what I have learnt. Im starting to love python more and more, considering how quickly I was able to write my sledgehammer of an answer.

My solution is here: https://pastee.org/uatq8

Lea Agreeable Typography wrote: »

Would be interesting of people came up with their own challenges also. If hosting is a problem, let me know.

I was at the SANS security training last week and took part in their "Capture the flag" tournament. Unfortunately, I came a rather disappointing 32 out of 90, but it gave me some ideas for a similar challenge. Partly just for the fun of it, and partly so I can practice for next year

The way it worked was, you had a list of questions on a website, the answer to each question was an MD5 hash of the answer. It started off pretty basically with a question like: "What is the kernel version of this machine?". To get the answer you would do:

echo -n `uname -r` | md5sum

It then progressed to the next level where you had to crack the root password and submit the hash of that, and then go on to take over other machines on the network.

I couldnt do something as sophisticated as that myself, but I am thinking of putting together a similar challenge. Would there be interest in it?

Anyway, now thats finished, its time for breakfast.

h57xiucj2z946q · 01-10-2011 2:09pm

syklops wrote: »
Wow that was awesome! Thanks Damo.

Im just learning python and so thought this would be a good homework exercise to implement what I have learnt. Im starting to love python more and more, considering how quickly I was able to write my sledgehammer of an answer.

My solution is here: https://pastee.org/uatq8

I was at the SANS security training last week and took part in their "Capture the flag" tournament. Unfortunately, I came a rather disappointing 32 out of 90, but it gave me some ideas for a similar challenge. Partly just for the fun of it, and partly so I can practice for next year

The way it worked was, you had a list of questions on a website, the answer to each question was an MD5 hash of the answer. It started off pretty basically with a question like: "What is the kernel version of this machine?". To get the answer you would do:
echo -n `uname -r` | md5sum
It then progressed to the next level where you had to crack the root password and submit the hash of that, and then go on to take over other machines on the network.

I couldnt do something as sophisticated as that myself, but I am thinking of putting together a similar challenge. Would there be interest in it?

Anyway, now thats finished, its time for breakfast.

I'd be interested in that yeah.

dlofnep · 01-10-2011 2:22pm

We will be hosting a capture the flag challenge in WIT at some point next year.

syklops · 02-10-2011 12:39am

dlofnep wrote: »

We will be hosting a capture the flag challenge in WIT at some point next year.

WIT is Wexford/Waterford/Wicklow IT(select one)?

Will it be open to remote contestants? If not, please PM me with info when you know them, as I need to book flights

.

dlofnep · 03-10-2011 10:31am

Waterford

Will post the details of it long before we host it, don't worry.

pacquiao · 03-10-2011 6:14pm

i'd like to know how this was done, anyone care to give me a password to view the ways people did this?

dlofnep · 03-10-2011 6:58pm

As soon as the challenge is over, I'll post an explanation to how I defeated it..

h57xiucj2z946q · 05-10-2011 10:03am

I think you can post a solution, it doesn't look like more are trying it.

syklops · 05-10-2011 11:11am

Lea Agreeable Typography wrote: »

I think you can post a solution, it doesn't look like more are trying it.

Im showing it to a couple of my colleagues, so maybe hold off on posting the solution just yet.

dlofnep · 05-10-2011 12:02pm

Well, here is my solution. The first thing I did was looked at the source code of Damo's webpage to see how exactly he was authenticating the user.

<!--
		function verifypin(pin) {
		
			if ((pin.length != 7) || isNaN(pin)) {
				alert('Please enter a valid pin consisting numbers only. 7 digits long.');
			} else {
				var md5 = MD5(pin);
				var sha1 = SHA1(pin);
				var sha256 = SHA256(pin);
				
				if ((md5.substr(30,2) == "5a") && (sha1.substr(0,2) == "f1") && (sha256.substr(30,2) == "91")) {
					location.href = "http://damo.clanteam.com/pin/" + pin + ".php";
				} else {
					alert('ACCESS DENIED!');
				}
				
			}			
		}
	//-->

The first thing that is evident is that the pin must be 7 characters long, and must be numerical. So the first thing I did was create a tiny script to generate a wordlist with all possible 7 digit pin combinations.

The second part of Damo's script checks 3 values. The 3 values are substrings of 3 different hashes of the actual login pin. The script checks 2 characters in specific positions of the 3 different hashes to see if they meet the criteria.

If you're not familiar with how substring works, read this: http://www.w3schools.com/jsref/jsref_substring.asp

Therefore, it seemed logical for me to check for those exact same characters in the exact same positions, using the same hash algorithms. If all 3 hash values of a specific pin matched Damo's values - then I knew that it must be the correct pin. The script itself simply looped through all the pin values, checked if the MD5 substring matched - is so, it generated the SHA1 substring and checked if it matched, if so - it moved on and checked if the SHA256 value matched - if it did, it printed the pin.

My code:

<?php
$dictFile = "numbers.txt";
$fh = fopen($dictFile, 'r');
$filesize = filesize($dictFile);
$data = fread($fh, $filesize);
fclose($fh);

$word = explode(",", $data);

for($i = 0; $i < count($word); $i++){
  $md5 = md5($word[$i]);
  if(substr($md5,30,2) == "5a"){
    // true
	$sha1 = sha1($word[$i]);
    if(substr($sha1, 0,2) == "f1"){
	  //true
	  $sha256 = hash('sha256', $word[$i]);
	  if(substr($sha256,30,2) == "91"){
	    // true
	    echo $word[$i] . "<br>";
	  }
	}
  }

}

?>

PeterHughes · 05-10-2011 12:07pm

I went for the sledgehammer approach, very interested in how others cracked it.

Break the PIN

Comments