From b25861ff3299b826d0e47f0aad7ea8b367d60d70 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 17:18:53 +0200
Subject: [PATCH] misc/pw_crack_3

---
 misc/pw_crack_3/level3.flag.txt.enc |  2 ++
 misc/pw_crack_3/level3.hash.bin     |  1 +
 misc/pw_crack_3/level3.py           | 47 +++++++++++++++++++++++++++++
 misc/pw_crack_3/output.txt          |  9 ++++++
 4 files changed, 59 insertions(+)
 create mode 100644 misc/pw_crack_3/level3.flag.txt.enc
 create mode 100644 misc/pw_crack_3/level3.hash.bin
 create mode 100755 misc/pw_crack_3/level3.py
 create mode 100644 misc/pw_crack_3/output.txt

diff --git a/misc/pw_crack_3/level3.flag.txt.enc b/misc/pw_crack_3/level3.flag.txt.enc
new file mode 100644
index 0000000..ebbeb00
--- /dev/null
+++ b/misc/pw_crack_3/level3.flag.txt.enc
@@ -0,0 +1,2 @@
+B[ZZqfN_]mTU\U[UmS
+XTD
\ No newline at end of file
diff --git a/misc/pw_crack_3/level3.hash.bin b/misc/pw_crack_3/level3.hash.bin
new file mode 100644
index 0000000..795faf3
--- /dev/null
+++ b/misc/pw_crack_3/level3.hash.bin
@@ -0,0 +1 @@
+m`��TA45���&
\ No newline at end of file
diff --git a/misc/pw_crack_3/level3.py b/misc/pw_crack_3/level3.py
new file mode 100755
index 0000000..50c5d2b
--- /dev/null
+++ b/misc/pw_crack_3/level3.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+
+import hashlib
+
+### THIS FUNCTION WILL NOT HELP YOU FIND THE FLAG --LT ########################
+def str_xor(secret, key):
+    #extend key to secret length
+    new_key = key
+    i = 0
+    while len(new_key) < len(secret):
+        new_key = new_key + key[i]
+        i = (i + 1) % len(key)
+    return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])
+###############################################################################
+
+flag_enc = open('level3.flag.txt.enc', 'rb').read()
+correct_pw_hash = open('level3.hash.bin', 'rb').read()
+
+
+def hash_pw(pw_str):
+    pw_bytes = bytearray()
+    pw_bytes.extend(pw_str.encode())
+    m = hashlib.md5()
+    m.update(pw_bytes)
+    return m.digest()
+
+
+def level_3_pw_check():
+    user_pw = input("Please enter correct password for flag: ")
+    user_pw_hash = hash_pw(user_pw)
+
+    if( user_pw_hash == correct_pw_hash ):
+        print("Welcome back... your flag, user:")
+        decryption = str_xor(flag_enc.decode(), user_pw)
+        print(decryption)
+        return
+    print("That password is incorrect")
+
+
+
+level_3_pw_check()
+
+
+# The strings below are 7 possibilities for the correct password. 
+#   (Only 1 is correct)
+pos_pw_list = ["8799", "d3ab", "1ea2", "acaf", "2295", "a9de", "6f3d"]
+
diff --git a/misc/pw_crack_3/output.txt b/misc/pw_crack_3/output.txt
new file mode 100644
index 0000000..69a287d
--- /dev/null
+++ b/misc/pw_crack_3/output.txt
@@ -0,0 +1,9 @@
+$ for pw in 8799 d3ab 1ea2 acaf 2295 a9de 6f3d; do ./level3.py <<<"$pw"; done
+Please enter correct password for flag: That password is incorrect
+Please enter correct password for flag: That password is incorrect
+Please enter correct password for flag: That password is incorrect
+Please enter correct password for flag: That password is incorrect
+Please enter correct password for flag: Welcome back... your flag, user:
+picoCTF{m45h_fl1ng1ng_6f98a49f}
+Please enter correct password for flag: That password is incorrect
+Please enter correct password for flag: That password is incorrect