 Hey, what's going on everybody? My name is John Hammond and in this video I wanted to bring to you one of the easy solutions to some of the Google capture the flag ctf that got started this weekend It was going on from I think April 29th to May 1st. I think It was their first annual Google ctf So a lot of people seemed like they were jumping in on it and I was one of them The challenge I wanted to show you is Ernst Akidna. It was only worth 50 points It wasn't really a big challenge and a lot of people solved it 737 people were able to get this one So it's pretty simple challenge, but I want to just walk you through it and build a quick get flag script for you So here we go. Can you hack this website? The robots.txt sure looks interesting. Hmm. Okay. Let's take a look at this and It says welcome to strawberry tea access. This is restricted. Okay, please register to get access whatever Let's check out that robots.txt that they were hinting at robots.txt and it does not want us to go to the admin page Okay. Well, what is over there? Let's check that one out for such admin and it tells us. Oh, we're not logged in Fine. I guess we will go back and now try and log in and register Okay So if we can register for account, it's just it's pretty simple username and password field There's nothing interesting in here if you take a look at the source. There's nothing hidden There's nothing hidden in the old page. There's it's just plain straight HTML. So if we register, I guess we'll just do some stuff Uh, I don't know just to fill stuff out. Let's go for the purposes of explanation A and B as our username and password Registered. Thank you for registering. Unfortunately. There's no content. That's fine. Can we get to our admin page now? That's really all we care about, right? Okay, sorry this interface is restricted to administrators only. Well, dang, that's annoying Thank you for registering. Unfortunately. There's been no content posted on this site Okay, how's it keeping track of the fact that I am registered and logged in that's probably done with a cookie, right? So, I mean you're gonna if you cookies in Firefox with like cookie manager, it's a cool plugin If you don't already have it, I totally recommend you grab it because I'm gonna use that to take a look at what we have here I'm a fire up cookie manager as the actual tool Not to Google search my bad And we want to be looking at our website Ernst the Kidna is a challenge that we're looking at right now And it has a cookie. It has a cookie set for us MD5 hash looks like right? Hopefully you guys can see this. I'm sorry if it's too small. I can't really zoom in on this Okay, so it's MD5 hash cookie has a value that I'm assuming just based off its name is an MD5 hash Now MD5 is pretty much well known for being pretty weak so I wonder if we can hack it I wonder if we can crack that or find a collision for this MD5 hash so I just googled MD5 cracker and md5cracker.org was a good one that I ended up using so I threw my hash in there and Whoa, a lot of people told me that it has the results of just simple a and That's what we just put in there as our username. You see You remember when we log when we registered as a as our username and B as our password So it looked like all it really did was MD5 hash our username so Can we have it kind of fool? Can we fool the web page into thinking that I am the administrator? Let's delete our current cookie. I'll just remove that now if I go to the page It looks like I have to register. Can I log in? Can I register as admin? Okay admin account already taken? Oh, well, okay dang but What's to stop us from like changing our? Changing our cookie already that we already have so if we fire up cookie manager one more time Our MD5 hash, which is currently the MD5 hash of the letter a our username. Let's actually Create our own MD5 hash of the word admin of that admin user and Can we just set this to be it right can we set this to be our cookie? Do I have a All right, I still have it. I still have it up good It's going to cookie manager change the value our MD5 hash cookie to now the MD5 hash of the username admin save it Refresh the page is nothing new here, but now if I go to admin hey That admin page now let's just come on in and it says hey congratulations. Your token is this flag Cool, so we just got the flag right we would be able to submit this But some of you guys may know I don't really like just leaving it at that I'd like to be able to script this or automate getting the flag for us so let's go ahead and start to build something that will let us do that a Fire up sublime text get a new script going. I guess in Google CTF. I have a I'll just create get flag dot pi script for us I'll try and zoom in here so you can see it just a bang line going. Let's import re I'm sorry our requests And let's import hash Lib. So we'll actually use that to MD5 stuff. We'll say username equals admin because that's what we want MD5 can equal hash Lib dot MD5 just create our MD5 object So MD5 dot update with username and then MD5 I guess hash Which is what will set the value of the cookie can be equal to that MD5 objects hex digest so once it actually gets the digest of this Username admin once it hashes the word admin MD5 underscore hash now we see okay. We've successfully hashed MD5 now. Let's actually you make that call Let's get a request object open. We can just say s equals requests dot session s dot cookies If we have already show you that currently it is just an empty cookie jar. Let's actually update that I'll remove this print statement with a new Dictionary for the string MD5 hash Set it to our MD5 hash that we've actually is actually the hash Now if we were to print out s dot cookies, you should be able to see Oh, okay, cool MD5 hash is actually a cookie in there. That's just fine So now we should be able to run s dot get On our admin page If we try and run this print it out It does have an error because we need to verify the SSL certificate I'm going to ignore that So we can do that with verify equals false probably not the best idea But it does get so what we wanted to it gets a response 200. So let's save that as r We can print out r dot texts. Here we go. Okay, cool. Congratulations. Your token is And let's just scrape that out with regular expressions content can equal that and then What is it that we're trying to find re dot? re dot search All right matched equals re dot search Pattern will be ctf anything in here and let's escape these out and we'll find that in our content. So if matched Print matched dot groups What do we get here? Nothing I might not need to have these Congratulations. You're talking to ctf That should totally work Do I need to like escape my asterisk here too? Here I'll pause this so I can get it right for you. Sorry guys All right, I'm dumb I completely forgot about the fact that I just actually needed to put the inside of the flag like in parentheses Or the actual like whole thing Okay My fail So yeah ctf and then the flag format is this curly braces and you can just denote that. Hey, I actually want this As part of a found group. So if I just left it, okay now it should work Cool Very nice. Uh, I don't know how I can hide that uh Security warning, let's do some research and find out again. I'm kind of going off off the cuff right now I probably shouldn't be doing this much research and like doing things that I don't have scripted Or at least I don't have prepared but requests ignore warning Python requests Ignore insecure requests warning Is there a way to suppress that? Looks like there's just this line Okay Sure, I just stole that off the internet. No big deal copy and paste copy paste code off stack overflow. That's good. That's good programming practice, right? That's funny. Okay, sure Real simple thing just to uh get flag Uh, let's make this executable see google earns executable chmod plus x Get flag dot pi Okay, and that that gets our flag for us sweet We're done. I'm I I spent too much time on this problem trying to show you something very very simple But it was a lot of fun. So thanks guys. Hope you enjoyed this real simple, uh part of google ctf Really really cool ctf. I didn't get a whole lot of challenges, but it was a ton of fun So thanks again guys. See you in a next later video