hackyou CTF: PPC 200

In this challenge, the task is to try to get the sha1 hash of a 1,048,576 character, of which we have keylogged all but 8 characters. We also have the final md5 hash of the password. The key here is to perform a sort of md5 hash extension to speed up the brute forcing process (there are a max of 99,999,999 possibilities). Luckily, python's md5 library is very useful for this kind of function! Here is my script which read the keylogger file (I actually grepped out some of the file to simplify the process before I ran the python), and then brute forced the password.

import re,md5,hashlib

password = open('bob', 'r').read() # open the simplified file
dec = re.compile(r'[^\d]+')        # regex to eliminate non-number chars
password = dec.sub('', password)   # eliminate the chars

init = md5.new(password)           # create an md5 object with the first
                                   # 1,048,568 chars
# Loop through the keyspace
for i in range(0,99999999):   # Print the count every 100,000 iterations
        if i%100000 == 0:     # because I am impatient
                print i
        tmp = init.copy()  # Create a copy of the md5 hash to manipulate
        tmp.update(str(i).zfill(8)) # Do the hash extension with i
        test = tmp.hexdigest()  # Compute the hash
        
        # If the md5 is correct, we win!
        if test == '287d3298b652c159e654b61121a858e0':
                print 'Answer found!'
                print hashlib.sha1(password+str(i).zfill(8)).hexdigest()
                break

This script finished after about 1 to 2 minutes somewhere around the 68,000,000th try.
-- suntzu_II