safe-password

Catégorie: Osint Difficulté: medium Flag: CTF{fdc852bc63a266c8c38db64bef90d62d53ddeef00aa85df7b941ac780b3d75d8}

Challenge

1KB

safe-password.zip

Description

Another breach in the company... Haven't they learned anything? It's frustrating to witness the same mistake repeatedly. After all, it's not rocket science to implement basic cybersecurity measures like using non-pwned passwords.It looks like one has been seen more than 80 times before.

Can you help me find that one?

Flag format: CTF{sha256(password)}

Explications

C’est de l’OSINT, donc on regarde les sites proposant de savoir si le mot de passe à fuité

Ici le site attendu c’était https://haveibeenpwned.com/Passwords

Pour éviter de renter tous les passwords à la main, on peut scripter la recherche

Script de résolution

import requests
from hashlib import sha1

with open('leaked.txt') as f:
	while True:
		password = f.readline().strip()
		if not password:
			break
		h = sha1(password.encode()).hexdigest().upper()
		r = h[:5]
		pwn_list = [line.split(':', 1) for line in requests.get(f"https://api.pwnedpasswords.com/range/{r}").text.splitlines()]
		for pwn in pwn_list:
			if pwn[0] == h[5:]:
				print(password, pwn[1])

# Bubblegum123! 82
# Butterfly123@ 3
# Coconut123@ 8

Précédentpersistent-reccon SuivantPwn

Mis à jour il y a 1 an

hashtagChallenge

hashtagDescription

hashtagExplications

hashtagScript de résolution

Challenge

Description

Explications

Script de résolution