29C3 CTF – pwsafe

Points 300
No space left on brain? Store all your passwords and other secrets here and you will never forget your birthday again πŸ™‚ (

The website in this challenge allowed us to create an user and use it to access the website. On the website information could be stored. There also seemed to be a /admin/ which would give the message “Access denied, only user admin has access”. While analyzing the website we found a really long session Cookie we would receive from the webserver. It seems this Cookie consisted of 3 separate MD5 hashes in one string. After looking in to these hashes a bit more and when they would change we found out that the MD5s were made of:

[MD5][MD5(username)][MD5(user IP)]

The idea was, that if we want to get to the admin page we needed to change the cookie to:

[MD5][MD5('admin')][MD5(admin IP)]

The MD5 value of the word ‘admin’ is 21232f297a57a5a743894a0e4a801fc3, now we only need the IP of the admin user, which was a bit harder to find. But on the server there was a server-status page (, which showed us:

036580/285/34514_0.084200000.00.072.42 GET /admin/ HTTP/1.1

It seems that the IP of admin is, using the IP in our request will result in retrieving the flag:

curl -s -b "session=954a33ddafa959cf59247cd21b4cc16321232f297a57a5a743894a0e4a801fc3`echo -n ""|md5sum|awk '{printf $1}'`"
<tr><td colspan="2"><textarea name="content">You did it.

FLAG: 29C3_PleasePutAllYourPasswordsHereItIsGood

Comments are closed.