Mar
07

## Codegate CTF 2011 Crypto300 Writeup

Description:

we are investigating an illegal online gambling site. To find any evidence to support for illegal gambling, we must access the oracle database with administrator privileges. The suspect says that he does not know the administrator password, but we know for sure that he is lying.

The password is estimated to be longer than 8 characters. However, we don’t have enough time to apply a brute-force attack. In order to request an arrest warrant, we must find the evidence of illegal gambling before the YUT-Challenge is over.

By using social engineering, we were able to find various data about the suspect. By analyzing the data, the suspect always include last four digits(‘1024’) of his phone number in his password. Hence, we may assume that his phone number is included in the administrator password for the database.

The given file is the dump file of sys.user$table in oracle database. (The data file of system tablespace is too big to upload.) Find the password of ‘SYSTEM’ account. Download database Summary: bruteforce with John the Ripper We are given a part of password, so we consider the task to be a brute-forcing challenge. Let’s first get the ecnrypted passwords. If we do strings on the file, we’ll see that hashes look like S:1DD713366F74C3C50EE788472C538B30E96E1D993253573202667D1462BC and the SYSTEM‘s hash is: S:26D848B7ED72F141CF31DDD137DD70C4839FEA45A78230C3977D6895936F So, let’s use John the Ripper to crack them: notice: I am trying to crack all hashes – there can be a hint, and it isn’t much slower $ strings task.db | grep -E "^S:" >hashes.txt
$./john-1.7.6-jumbo-12/run/john hashes.txt Loaded 41 password hashes with 41 different salts (Oracle 11g [oracle11]) s (S) tiger (S) dip (S) march (S) ^C$ cat ./john-1.7.6-jumbo-12/run/john.pot
EDD08A386D961B35E097E9153DF2CACA69E3CCFE22DD64218AF9433DAAA1:s
45184B84D44775C31633B8DF0DC5DE2C5153E23F21A2EB73B44881843220:tiger
51C0606CD08192EF543678519467E3320A44603F68E04BF2D6C97B881FA7:dip
EA094B23FE444D11C230C341F7BD7D250907647C84B6F0334D4FB52A1901:march


Ok, we found some simple password (unluckily they don’t belong to SYSTEM, hehe), and now we know type of passwords: oracle11

Now there are two ways – generate our own dictionary for John, or modify it to add “1024” to each password. The first way is much easier, so we’ll use it. Here is a small script to generate passwords:

#!/usr/bin/env python
#-*- coding:utf-8 -*-

import sys
import string
from itertools import combinations_with_replacement

alpha = "abcdefghijklmnopqrstuvwxyz_.-!@#$%^&*()+=[]{};:'\"\\,./?><" MAXLEN = 10 f = sys.stdout # open("mydict.txt", "w", 4096 * 4096) for strlen in xrange(MAXLEN + 1 - 4): for s in combinations_with_replacement(alpha, strlen): f.write("".join(s) + "1024\n") sys.stderr.write("length=%d done\n" % (strlen + 4))  Now, run john: $ python2.7 gendict.py | ./john-1.7.6-jumbo-12/run/john --stdin hashes.txt
length=4 done
length=5 done
length=6 done
jk_1024          (S)
jk_1024          (S)
jk_1024          (S)
length=7 done
jk##1024         (S)
length=8 done
Traceback (most recent call last):
File "gendict.py", line 13, in <module>
f.write("".join(s) + "1024\n")
KeyboardInterrupt
guesses: 4  time: 0:00:00:11  c/s: 1629K  trying: adeo:1024
Session aborted


Nice, we have some passwords in 11 secs! Let’s check:

\$ cat ./john-1.7.6-jumbo-12/run/john.pot
EDD08A386D961B35E097E9153DF2CACA69E3CCFE22DD64218AF9433DAAA1:s
45184B84D44775C31633B8DF0DC5DE2C5153E23F21A2EB73B44881843220:tiger
51C0606CD08192EF543678519467E3320A44603F68E04BF2D6C97B881FA7:dip
EA094B23FE444D11C230C341F7BD7D250907647C84B6F0334D4FB52A1901:march
71974569DA24DA8939C214C32138F06F9D0E33F97A7C5A72A601D78B0CCE:jk_1024
12ABB669E515B3516B234D95DF70C8EDC3530F5E2A4ECD58F529174D9857:jk_1024
1F7C9384AF8F0B497E0EAB09A0141D96012DC5FC5227DA6CEF7AEB0D423F:jk_1024
26D848B7ED72F141CF31DDD137DD70C4839FEA45A78230C3977D6895936F:jk##1024


Yesss, we have the right one!

The flag: jk##1024