What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-23

Hack This Site! - Extbasic 11

Description:

Can you get the password now?

Level 11

The following is a batch script authentication system. Your goal here is to get the batch script to authenticate you by inputting a password into the field.

@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SET PRIME=2  3  5  7  11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101
SET CHARS=a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z
SET PASSWORDVALUE=1
SET INPUT=
SET /P INPUT=Insert password:
IF "%INPUT%"=="" "%~0"
ECHO Authenticating...
:OVERLOOP
SET CURRENTPOSITION=0
:SUBLOOP
IF /I "!INPUT:~%CHARACTERPOSITION%,1!"=="!CHARS:~%CURRENTPOSITION%,1!" SET /A PASSWORDVALUE*=!PRIME:~%CURRENTPOSITION%,3!
SET /A CURRENTPOSITION+=3
IF NOT %CURRENTPOSITION%==78 GOTO :SUBLOOP
SET /A CHARACTERPOSITION+=1
IF NOT "!INPUT:~%CHARACTERPOSITION%,1!"=="" GOTO :OVERLOOP
:END
ENDLOCAL&IF NOT %PASSWORDVALUE%==1065435274 GOTO :ACCESSDENIED
ECHO You have been authenticated. Welcome aboard!
GOTO :SILENTPAUSE
:ACCESSDENIED
ECHO Access denied!
:SILENTPAUSE
PAUSE > NUL
 
 ___________________
|___________________|check

Solution:
  1. You knew the value of variable PASSWORDVALUE is 1065435274,  and now you have to reverse the hashing process to find the original password.
  2. The hashing process is the following code.
    :OVERLOOP
    SET CURRENTPOSITION=0
    :SUBLOOP
    IF /I "!INPUT:~%CHARACTERPOSITION%,1!"=="!CHARS:~%CURRENTPOSITION%,1!" SET /A
    PASSWORDVALUE*=!PRIME:~%CURRENTPOSITION%,3!
    SET /A CURRENTPOSITION+=3
    IF NOT %CURRENTPOSITION%==78 GOTO :SUBLOOP
    SET /A CHARACTERPOSITION+=1
    IF NOT "!INPUT:~%CHARACTERPOSITION%,1!"=="" GOTO :OVERLOOP
  3. Since the batch script takes the character you type in, assigns corresponding prime value to it, and multiplies them all together, so, the first thing you need to do is the prime factorization of the PASSWORDVALUE.
  4. Very soon, you'll find out the prime factors of 1065435274 are 2, 6827, and 78031. But there's no mapping character with the value larger than 101.
  5. That means we neglected a very important concept about batch math. There's an integer overflow problem due to the maximum integer allowed in batch math is 2^31 - 1 = 2147483647 for 32-bit integers.
  6. So, we need to find the original composite number.
  7. The relationship between the composite number ,  maximum limited integer, and 1065435274 is like below.
    composite_number / (2^31) = quotient ... 1065435274
    composite_number = (2^31) * quotient + 1065435274
  8. You can use brute forcing to count the composite number and factor it. If the factors of the composite number all less than or equal to 101, you get the answer! 
  9. My result:
    quotient = 2136
    composite_number = (2^31) * 2136 + 1065435274 = 4588090507402
    4588090507402 = 2 * 17 * 19 * 23 * 37 * 41 * 47 * 61 * 71
    (aghilmort -> algorithm)
  10. It's done!
Posted by at Labels: , , , , ,