Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
VSproject
finding pieces of password 2.png
finding pieces of password.png
mission015 data.txt
mission_15_leak shadow.png
readme.md

readme.md

Gynvael’s Mission 015

MISSION 015               goo.gl/JKN1Zq             DIFFICULTY: █████░░░░░ [5╱10]
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅

One of our operatives managed to find an information leak vulnerability on an
internal website of a hostile syndicate. The vulnerability itself is quite
amusing, as it allows to leak any file on the FS in form of a bar chart. Our
operative leaked a script responsible for authenticating a system operator.

Your task is to analyze the chart and then the script, and attempt to recover
system operator's password.

  Chart: goo.gl/YbYYcS

Good luck!

---------------------------------------------------------------------------------

If you find the answer, put it in the comments under this video! If you write a
blogpost / post your solution / code online, please add a link as well!

P.S. I'll show/explain the solution on the stream in ~one week.

Back to live stream

Solution (C#)

Part 1/2

Downloaded chart:

chart

For each column I created a dictionary where the key is color, and the value is the number of occurrences. I want to find all color values.

    Dictionary<Color, int>[] his = new Dictionary<Color, int>[W];

    Console.WriteLine("Analyse image...");
    for (int x = 0; x < W; x++)
    {
        his[x] = new Dictionary<Color, int>();
        for (int y = 0; y < H; y++)
        {
            Color p = bmp.GetPixel(x, y);

            if (!his[x].ContainsKey(p))
                his[x][p] = 1;
            else
                his[x][p]++;
        }
    }

There are only 3 different colors in the image. I saved the red color values to the file.

    // Red color
    Color colr = Color.FromArgb(255, 255, 0, 0);

    StringBuilder sb = new StringBuilder();
    foreach (var h in his)
    {
        sb.Append((char)h[colr]);
    }
    
    // Save to file
    File.WriteAllText("cols_to_ascii.txt", sb.ToString());

Part 2/2

The data saved in the file is php code:

<?php

if (!isset($_GET['password']) || !is_string($_GET['password'])) {
  die("bad password");
}

$p = $_GET['password'];

if (strlen($p) !== 25) {
  die("bad password");
}

if (md5($p) !== 'e66c97b8837d0328f3e5522ebb058f85') {
  die("bad password");
}

// Split the password in five and check the pieces.
// We need to be sure!
$values = array(
  0 => 'e6d9fe6df8fd2a07ca6636729d4a615a',
  5 => '273e97dc41693b152c71715d099a1049',
  10 => 'bd014fafb6f235929c73a6e9d5f1e458',
  15 => 'ab892a96d92d434432d23429483c0a39',
  20 => 'b56a807858d5948a4e4604c117a62c2d'
);

for ($i = 0; $i < 25; $i += 5) {
  if (md5(substr($p, $i, 5)) !== $values[$i]) {
    die("bad password");
  }
}

die("GW!");

We have 5 MD5 Checksum and we need to find 5 password pieces.

    string guesspass = Find5CharPassword(args[0]);

I ran the program 5 times for each checksum:

chart

After about 14 min I see that one password was not found. I guess it's missing '!'

Finally:

chart

Password is:

Pie charts are delicious!

Video with solutions on GynvaelEN channel