tomnomnom · August 13, 2017 08:36 · tomnomnom · Aug 13, 2017
diff --git a/h1-barry-ctf-dump.php b/h1-barry-ctf-dump.php
 <?php
 // OK, so here's the hex from the instructions...
 $lines =<<<LINES
 7b 0a 20 a0 22 65 76 e5
 6e 74 22 ba 20 22 70 e1
 73 73 77 ef 72 64 5f e3
 68 61 6e e7 65 22 2c 8a
 20 20 22 f5 73 65 72 ee
 61 6d 65 a2 3a 20 22 e2
 63 6f 6c ec 69 6e 22 ac
 0a 20 20 a2 6f 6c 64 df
 70 61 73 f3 77 6f 72 e4
 22 3a 20 a2 3a 5c 78 c3
 37 5c 78 c6 34 5c 6e dc
 78 41 46 a9 29 37 43 dc
 78 31 35 dc 78 44 30 dc
 78 46 33 dc 78 44 45 e9
 55 3b 22 ac 0a 20 20 a2
 6e 65 77 df 70 61 73 f3
 77 6f 72 e4 22 3a 20 a2
 39 5c 78 c6 41 5c 78 b9
 39 5c 78 c3 41 5c 78 c5
 44 5c 78 c6 32 58 53 c7
 5c 78 44 c4 2d 5c 78 c3
 32 5c 78 b8 45 7a 48 eb
 22 2c 0a a0 20 22 74 e9
 6d 65 73 f4 61 6d 70 a2
 3a 20 31 b5 30 31 38 b5
 38 38 36 b0 30 30 30 8a
 7d 0a
 LINES;


 // Let's take a look at each byte in binary notation to make
 // flipped bits a bit easier to spot.
 $str = '';
 foreach (explode("\n", $lines) as $line){
    $line = trim($line);
    $bytes = explode(" ", $line);

    foreach ($bytes as $byte){
        // When printed out as binary it becomes pretty clear that the MSB has
        // been flipped in the 4th and 8th columns... YOU LIED TO ME, JOBERT;
        // you said the LSBs had been shifted.
        printf("%08b ", intval($byte, 16));

        // Let's fix the high MSB and make a urlencoded string out of it.
        $str .= sprintf("%%%02X", intval($byte, 16) & 0b01111111);
    }
    echo PHP_EOL;
 }

 // We have 'JSON' :)
 $json = urldecode($str);
 echo $json;
 /*
 {
  "event": "password_change",
  "username": "bcollin",
  "old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
  "new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
  "timestamp": 1501858860000
 }
 */

 // \xNN sequences?! This isn't valid JSON, Jobert ಠ_ಠ
 // I'll just copy and paste the strings like some kind of monster.
 $old = ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;";
 $new = "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk";


 // Oh hey, *reverse* the passwords... I tried reversing the raw bytes first,
 // it took me longer than it should have done to bother just revsering the hex string...
 // I also tried a ton of other stuff that didn't work, but never mind all of that...
 $oldhash = strrev(unpack("H*", $old)[1]);
 var_dump($oldhash);
 // string(32) "b35596ed3f0d5134739292faa04f7ca3"
 // A quick good search reveals it to be md5(md5('p4ssw0rd'))
 // That's the old password sorted.

 $newhash = strrev(unpack("H*", $new)[1]);
 var_dump($newhash);
 // string(32) "b684a7e82cd2dd7435852fdeac99af93"
 // Google doesn't find a result for this one :(

 // Let's try a few things... Thank you, Daniel Miessler...
 $fh = fopen('/home/tom/src/github.com/danielmiessler/SecLists/Passwords/rockyou.txt', 'r');
 if (!$fh) die('wat');
 while(true) {
 	$test = trim(fgets($fh));

    if (md5(md5($test)) == $newhash){
        echo "Password: ". $test.PHP_EOL;
        break;
    }
 }
 fclose($fh);

 // This *is* crazy! Hurrah for brute force!
 // Confirmation:
 if (md5(md5('thisiscrazy')) == $newhash) {
 	echo "You're an Evil man, Jobert.";
 }
	<?php
	// OK, so here's the hex from the instructions...
	$lines =<<<LINES
	7b 0a 20 a0 22 65 76 e5
	6e 74 22 ba 20 22 70 e1
	73 73 77 ef 72 64 5f e3
	68 61 6e e7 65 22 2c 8a
	20 20 22 f5 73 65 72 ee
	61 6d 65 a2 3a 20 22 e2
	63 6f 6c ec 69 6e 22 ac
	0a 20 20 a2 6f 6c 64 df
	70 61 73 f3 77 6f 72 e4
	22 3a 20 a2 3a 5c 78 c3
	37 5c 78 c6 34 5c 6e dc
	78 41 46 a9 29 37 43 dc
	78 31 35 dc 78 44 30 dc
	78 46 33 dc 78 44 45 e9
	55 3b 22 ac 0a 20 20 a2
	6e 65 77 df 70 61 73 f3
	77 6f 72 e4 22 3a 20 a2
	39 5c 78 c6 41 5c 78 b9
	39 5c 78 c3 41 5c 78 c5
	44 5c 78 c6 32 58 53 c7
	5c 78 44 c4 2d 5c 78 c3
	32 5c 78 b8 45 7a 48 eb
	22 2c 0a a0 20 22 74 e9
	6d 65 73 f4 61 6d 70 a2
	3a 20 31 b5 30 31 38 b5
	38 38 36 b0 30 30 30 8a
	7d 0a
	LINES;


	// Let's take a look at each byte in binary notation to make
	// flipped bits a bit easier to spot.
	$str = '';
	foreach (explode("\n", $lines) as $line){
	$line = trim($line);
	$bytes = explode(" ", $line);

	foreach ($bytes as $byte){
	// When printed out as binary it becomes pretty clear that the MSB has
	// been flipped in the 4th and 8th columns... YOU LIED TO ME, JOBERT;
	// you said the LSBs had been shifted.
	printf("%08b ", intval($byte, 16));

	// Let's fix the high MSB and make a urlencoded string out of it.
	$str .= sprintf("%%%02X", intval($byte, 16) & 0b01111111);
	}
	echo PHP_EOL;
	}

	// We have 'JSON' :)
	$json = urldecode($str);
	echo $json;
	/*
	{
	"event": "password_change",
	"username": "bcollin",
	"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
	"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
	"timestamp": 1501858860000
	}
	*/

	// \xNN sequences?! This isn't valid JSON, Jobert ಠ_ಠ
	// I'll just copy and paste the strings like some kind of monster.
	$old = ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;";
	$new = "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk";


	// Oh hey, reverse the passwords... I tried reversing the raw bytes first,
	// it took me longer than it should have done to bother just revsering the hex string...
	// I also tried a ton of other stuff that didn't work, but never mind all of that...
	$oldhash = strrev(unpack("H*", $old)[1]);
	var_dump($oldhash);
	// string(32) "b35596ed3f0d5134739292faa04f7ca3"
	// A quick good search reveals it to be md5(md5('p4ssw0rd'))
	// That's the old password sorted.

	$newhash = strrev(unpack("H*", $new)[1]);
	var_dump($newhash);
	// string(32) "b684a7e82cd2dd7435852fdeac99af93"
	// Google doesn't find a result for this one :(

	// Let's try a few things... Thank you, Daniel Miessler...
	$fh = fopen('/home/tom/src/github.com/danielmiessler/SecLists/Passwords/rockyou.txt', 'r');
	if (!$fh) die('wat');
	while(true) {
	$test = trim(fgets($fh));

	if (md5(md5($test)) == $newhash){
	echo "Password: ". $test.PHP_EOL;
	break;
	}
	}
	fclose($fh);

	// This is crazy! Hurrah for brute force!
	// Confirmation:
	if (md5(md5('thisiscrazy')) == $newhash) {
	echo "You're an Evil man, Jobert.";
	}