🍍NeoVoid

Search

SearchSearch

Codesprouts's

Jul 25, 2024, 4 min read

This is a Web application security dojo cum CTF cum hacking challenge from https://pwn.college (challenge link is https://pwn.college/codesprout~a2cb8d41/web-app/) which puts your hacking skills to test against a Social Media Site name Socio-Pedia. We have given:

  • a webapp,
  • user email account
  • incomplete password.py script

In first task a hacker needs to use his/her basic scripting skills to automate the password-cracking process.

Next after successfully gaining access to user account he needs to perform Information Gathering throughout all Jenna’s posts and comments and find the user who has posted a flag in the comment in one of the posts.

There are some gossips going on in the posts but some posts are encrypted, its up-to hacker to decipher those hidden messages and navigate his/her way to the flag.

Challenge 1: Password cracking

In the first level, your task is to gain access to Jenna’s account by cracking the password with the known email jenna@email.com.

The password is a combination of words and symbols found inside the file located at ~/Desktop/password.py. The site requires that all users have a password with (a word + a number + a symbol).

Your objective is to complete the script, crack this password, and find the flag. This exercise will test your ability to use basic scripting skills to automate the password-cracking process.

Using this password.py script to crack password

from itertools import product
 
# List of words, numbers, and symbols
words         = ['Sparky', 'Red', 'Tempe']
numbers       = ['2005', '6']
specialchar   = ['@', '!']
 
# Generate all possible combinations of words, numbers, and symbols
pass_cracker = list(product(words, numbers, specialchar))
 
# Print all possible combinations
for password in pass_cracker:
    print(''.join(password))

Explaination

The script uses the itertools.product function to generate all possible combinations of words, numbers, and symbols. The list function is used to convert the product object to a list, which can be easily iterated over. The script then iterates over the list of combinations and prints each combination as a possible password. Note: This script will generate all possible combinations of words, numbers, and symbols, which may take a long time to execute if the lists of words, numbers, and symbols are long. Additionally, it’s worth noting that cracking passwords without permission is illegal and unethical. This solution is for educational purposes only.

With cracked password hacker logs into socio-pedia webapp through this credentials

email : jenna@email.com
pswd : Sparky6!

Challenge 2: Information Gathering!

Great job!

Having successfully logged in with the credentials from Level 1, your next challenge is to perform information gathering from within Jenna’s account.

You will need to explore Jenna’s home profile, search through posts, and examine comments to locate the user who has posted the flag. This level emphasizes your ability to navigate a web application and retrieve useful information hidden within user interactions.

The flag will be a comment in the post of the encrypted message for level 3.

Please make sure to note down the encrypted message somewhere as it will not be available in level 3.

by doing some intensive search through all the users profile I finally found the flag and moved on to next challenge.

Challenge 3: Encryption Breaking

Woohoo you’ve made it!

In the last level you discovered the encrypted message.

For your final task, decrypt this message. The message is encrypted using a Caesar cipher. Caesar ciphers are a form of shift cipher, for more information please visit here.

Once decrypted, you will use the command python /challenge/challenge.py to input the message and obtain the final flag.

This level will challenge your understanding of basic cryptography and your ability to apply decryption techniques to uncover hidden information.

Good luck!

Cipher found in the comments:

Sduwb dw Pdlq Vwuhhw!

after deciphering it via caeser cipher from https://www.dcode.fr/caesar-cipher we get:

Party at Main Street!

by puting it into the python /challenge/challenge.py input we will get final flag.

My Conclusion:

For beginners in cybersecurity this challenge shouldnt be that hard. For me I python scripting was bit of a toung twister. but with little bit help of ChatGPT I finished the script; rest was easy.

I found some ciphered text and deciphered them with https://www.dcode.fr/ site. Huge Thanks to this site it has wide variety of ciphers to decipher and cipher. With its analyze tool I was able to detect that the kind of cipher they used was caeser cipher.

Only then I had to do bit of digging in each users posts to see the flag. There were some nice photos too probably generated from ai.

And with that I am also Awarded with this [đź’ˇ] badge by pwn.college.

Graph View

Recent writings

Backlinks

  • No backlinks found