whats_my_password

Another quick walk-through from ACSC5.  This problem is called whats_my_password and can be found here.

Problem

What is that administrator’s password? Note: enter the flag in the format acsc2017{}

Solution

So if you follow the link on the first page, it will take you to a sql dump from a mysql database.  There is nothing to indicate what program gave the database, but beginning on line 22 and in a number of other places, you see prefix/suffix “wp”.  A quick google for any of the table names will show that the database likely belongs to WordPress.  A little more digging will show that the users passwords are stored in the wp_users table.  If you continue down to line 446 you will see where that table is defined

DROP TABLE IF EXISTS `wp_users`; 
CREATE TABLE `wp_users` ( `ID` bigint(20) UNSIGNED NOT NULL, 
`user_login` varchar(60) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_pass` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_nicename` varchar(50) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_email` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_url` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_registered` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', 
`user_activation_key` varchar(255) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '', 
`user_status` int(11) NOT NULL DEFAULT '0', 
`display_name` varchar(250) COLLATE utf8mb4_unicode_ci NOT NULL DEFAULT '' ) 
ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

and then on line 464 where the user ‘admin’ is inserted into the table.

INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES
 (1, 'admin', '5fcfd41e547a12215b173ff47fdd3739', 'BigT', 'some_address@gmail.com', '', '2017-07-01 17:36:03', '', 0, 'BigT');

Looking at the table definition, the third field is ‘user_pass’ which for the user insert has a value of ‘5fcfd41e547a12215b173ff47fdd3739’.  Either that is a really good password (except that it’s missing any special characters), or its hashed.  A google for “break a hash” gives me the 2nd result of crackstation[.]net (there are lots of other ones out there).  When I paste in the hash, it breaks it to “trustno1” meaning the flag is acsc2017{trustno1}.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>