HACKvent 2015: Day 9

Hackvent 201512950

Challenge

sadly we didnt receive todays code transmission properly and it seems that a part of the information got lost. are you able to recover the missing parts?

all we know is that the lowercase sha1 of the code gives:

B39ECFBC2C64ADBB7C7A9292EEE31794D28FE224

and the sha1 of the case sensitive code should be:
0D353038908AD0FC8C51A5312BB3E2FEE1CDDF83

The following sound file was also provided: HV15-Day9-code_transmission_g5Nzjnl_OMQs4RMdA6rU.mp3

Solution

This was a very simple challenge.
First we listen to the transmission and discover it spells out the nugget but some characters are turned into noise.

We get:

HV?5 g?uj 1yq7 ?dyc 2wlr e6?j

The ? character represents a character in the set [A-Za-z0-9] (because those are the only characters that can appear in the nugget). We notice that dashes are omitted. We also know the nugget starts with HV15 so the first unknown character is determined to be 1.

Now, we bruteforce the remaining 3 characters using our hint. We want to first find a full lowercase solution that has a sha1sum which equals B39ECFBC2C64ADBB7C7A9292EEE31794D28FE224.
After a solution is found for that, we can then try to find the sha1sum of all permutations of the case of each character after HV15 (we know HV15 must be uppercase).

So we construct our template to be:

HV15-g?uj-1yq7-?dyc-2wlr-e6?j

Then we write a python script to carry out the Bruteforce attack:

#!/usr/bin/env python

# Day 9
import hashlib, itertools

message = 'HV15-G?UJ-1YQ7-?DYC-2WLR-E6?J'

# Source: http://stackoverflow.com/a/6792898/1800854
def all_casings(input_string):
    if not input_string:
        yield ""
    else:
        first = input_string[:1]
        if first.lower() == first.upper():
            for sub_casing in all_casings(input_string[1:]):
                yield first + sub_casing
        else:
            for sub_casing in all_casings(input_string[1:]):
                yield first.lower() + sub_casing
                yield first.upper() + sub_casing

# Bruteforce
for res in list(itertools.permutations('abcdefghijklmnopqrstuvwxyz0123456789', 3)):
  template = list(message)
  template[6] = res[0]
  template[15] = res[1]
  template[27] = res[2]
  
  # Check sha1
  input = ''.join(template).lower()
  hash_object = hashlib.sha1(input)
  hex_dig = hash_object.hexdigest().upper()
  
 
  if hex_dig == 'B39ECFBC2C64ADBB7C7A9292EEE31794D28FE224':
    print "Found match:", ''.join(template).lower()
    
    input2 = list(''.join(template).lower())
    input2_str = ''.join(input2)
    
    # Bruteforce character cases
    for perm in all_casings(input2_str[4:]):
      
      final_test = "HV15" + perm
      
      hash_object = hashlib.sha1(final_test)
      hex_dig = hash_object.hexdigest().upper()
      
      # Check final solution
      if hex_dig == '0D353038908AD0FC8C51A5312BB3E2FEE1CDDF83':
        print "Found solution:", final_test

We run this and get our flag in 1 second:

Flag:

HV15-GnUj-1YQ7-vdYC-2wlr-E6xj

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!