webhacking.kr - 0ldzombie challenge writeup 4

Jun 13, 2015 • webchallenges, 0ldzombie

0ldzombie has a great collection of Webhacking challenges which ranges from very basic ones to some very advanced attacks. We really enjoyed playing the challenges and here are the writeups.

I hope by the time you are reading this, you had already completed the rest 3 challenges. The 4th challenge is an easy one as you can guess, because it is a 150 point problem. Now let us see how to approch this problem.

Note: I am putting up the write up on my blog so that if you are not able to complete the challenges after trying for awhile, you can refer to the solution to see how I did it. Please don’t look into the solution before you try out the challenges by yourself.

In this challenge all that is given is a string like this: YzQwMzNiZmY5NGI1NjdhMTkwZTMzZmFhNTUxZjQxMWNhZWY0NDRmMg==. Well, the moment you see the string, the 2 equal signs indicate that there is a strong chance of base64 encoding here. So after decoding, we will get something like this: c4033bff94b567a190e33faa551f411caef444f2. Well, it seems our first method was an instant success. Now we got something which looks like a hash. Let us try to identify which type of hash could it probably be.

If you use any online hash identifier, most of them suggests that this could be an SHA-1 encryption. Well, if it really is an SHA-1, there is no way to crack it unless it is already stored in some online SHA-1 cracking websites. So after digging up on that I reached a site called hashkiller which helped me decrypt the string. So after the decryption I again got a string which is of the same length: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3. Now what ?

Well, I simply assumed that this one will again be a SHA-1 since it is of same length. So I gave the new string as input this time and it gave back the correct result in plain text. For some reason, I didn’t enjoy this challenge like the other ones. May be next one will be better :)

Anirudh Anand

Product Security ♥ | CTF - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE