MITRE CTF 2013 – bin200 #2

This challenge gave us a JAR. We extracted it, and opened the class in JDGUI. It’s immediately clear that this challenge is to brute force an MD5. The manifest file gives us the first 6 characters, and leaves us to brute force the last 6. We know the keyspace is 0-9 A-F, as previous challenge flags fit that format.

So, we modify this to brute force the 6 characters and we’re done! Since the main challenge here is brute forcing, this is really more of a crypto challenge than it is a binary challenge.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import java.io.PrintStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Scanner;
public class Overrated
{
public static void main(String[] paramArrayOfString)
{
String str1 = new String();
String str2 = "3d38629f056c942d561b63dbe8e94653";
//MCA-8E + (6 hex allcaps)
int max = 16;
//for every combination
for(int a=0;a<max;a++) {
for(int b=0;b<max;b++) {
for(int c=0;c<max;c++) {
for(int d=0;d<max;d++) {
for(int e=0;e<max;e++) {
for(int f=0;f<max;f++) {
String teststr = Integer.toString(a, 16) + Integer.toString(b, 16) + Integer.toString(c, 16) + Integer.toString(d, 16) + Integer.toString(e, 16) + Integer.toString(f, 16);
teststr = teststr.toUpperCase();
if(encrypt("MCA-8E"+teststr).equals(str2)) {
System.out.println("WOOT "+ "MCA-8E"+teststr);
return;
}
}
}
}
}
}
}
System.out.println("Good job!");
}
public static String encrypt(String paramString) {
String str1 = "";
try {
MessageDigest localMessageDigest = MessageDigest.getInstance("MD5");
localMessageDigest.reset();
localMessageDigest.update(paramString.getBytes());
byte[] arrayOfByte = localMessageDigest.digest();
// md5 array above
String str2 = "";
// convert to a hex string
for (int i = 0; i < arrayOfByte.length; i++) {
// this & does nothing
str2 = Integer.toHexString(0xFF & arrayOfByte[i]);
if (str2.length() == 1)
str1 = str1 + "0" + str2;
else
str1 = str1 + str2;
}
} catch (NoSuchAlgorithmException localNoSuchAlgorithmException) {
}
return str1;
}
}