“If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.” ― Bruce Schneier

PW Crack 1-5

PW Crack 1:

$ wget https://artifacts.picoctf.net/c/12/level1.py https://artifacts.picoctf.net/c/12/level1.flag.txt.enc
$ python level1.py
Please enter correct password for flag: 123
That password is incorrect
$ cat level1.py # 可以看到密碼直接寫死 8713
$ python level1.py
"Please enter correct password for flag: 8713
Welcome back... your flag, user:"
picoCTF{545h_r1ng1ng_1b2fd683}

PW Crack 2:

# \ = 換行
$ wget https://artifacts.picoctf.net/c/14/level2.py \
https://artifacts.picoctf.net/c/14/level2.flag.txt.enc
$ python level2.py
Please enter correct password for flag: 123
That password is incorrect
$ cat level2.py # 密碼為 user_pw == chr(0x34) + chr(0x65) + chr(0x63) + chr(0x39)
# 我們直接輸入python進入python的直譯器
>>> print(chr(0x34) + chr(0x65) + chr(0x63) + chr(0x39)) # 輸出4ec9
$ python level2.py
"Please enter correct password for flag: 4ec9
Welcome back... your flag, user:"
picoCTF{tr45h_51ng1ng_9701e681}

PW Crack 3:

$ wget https://artifacts.picoctf.net/c/18/level3.py \
	https://artifacts.picoctf.net/c/18/level3.flag.txt.enc \
	https://artifacts.picoctf.net/c/18/level3.hash.bin
$ python level3.py
Please enter correct password for flag: 123
That password is incorrect
$ cat level3.py
# 注意到最後幾行
# The strings below are 7 possibilities for the correct password. 
# (Only 1 is correct)
# pos_pw_list = ["8799", "d3ab", "1ea2", "acaf", "2295", "a9de", "6f3d"]

透過最後這三行，我們可以修改程式去暴力遍歷這七個密碼：

def level_3_pw_check(pw):
    #user_pw = input("Please enter correct password for flag: ") 將此行註釋掉
    user_pw_hash = hash_pw(pw) # 使用傳入的password
    
    if( user_pw_hash == correct_pw_hash ):
        print("Welcome back... your flag, user:")
        decryption = str_xor(flag_enc.decode(), pw)
        print(decryption)
        return
    print("That password is incorrect")

# The strings below are 7 possibilities for the correct password. 
#   (Only 1 is correct)
pos_pw_list = ["8799", "d3ab", "1ea2", "acaf", "2295", "a9de", "6f3d"]

for pos_pw in pos_pw_list:
    level_3_pw_check(pos_pw)

$ python level3.py
That password is incorrect
That password is incorrect
That password is incorrect
That password is incorrect
Welcome back... your flag, user:
picoCTF{m45h_fl1ng1ng_6f98a49f}
That password is incorrect
That password is incorrect

PW Crack 4:

跟PW Crack 3一樣，暴力破解即可：

# The strings below are 100 possibilities for the correct password. 
#   (Only 1 is correct)
pos_pw_list = ["158f", "1655", "d21e", "4966", "ed69", "1010", "dded", "844c", "40ab", "a948", 
"156c", "ab7f", "4a5f", "e38c", "ba12", "f7fd", "d780", "4f4d", "5ba1", "96c5", "55b9", "8a67", 
"d32b", "aa7a", "514b", "e4e1", "1230", "cd19", "d6dd", "b01f", "fd2f", "7587", "86c2", "d7b8", 
"55a2", "b77c", "7ffe", "4420", "e0ee", "d8fb", "d748", "b0fe", "2a37", "a638", "52db", "51b7", 
"5526", "40ed", "5356", "6ad4", "2ddd", "177d", "84ae", "cf88", "97a3", "17ad", "7124", "eff2", 
"e373", "c974", "7689", "b8b2", "e899", "d042", "47d9", "cca9", "ab2a", "de77", "4654", "9ecb", 
"ab6e", "bb8e", "b76b", "d661", "63f8", "7095", "567e", "b837", "2b80", "ad4f", "c514", "ffa4", 
"fc37", "7254", "b48b", "d38b", "a02b", "ec6c", "eacc", "8b70", "b03e", "1b36", "81ff", "77e4", 
"dbe6", "59d9", "fd6a", "5653", "8b95", "d0e5"]

for pw in pos_pw_list:
    level_4_pw_check(pw)

PW Crack 5:

同上：

def level_5_pw_check():
    while True:
        user_pw = input("Please enter correct password for flag: ")
        user_pw_hash = hash_pw(user_pw)

        if( user_pw_hash == correct_pw_hash ):
            print("Welcome back... your flag, user:")
            decryption = str_xor(flag_enc.decode(), user_pw)
            print(decryption)
            return
        print("That password is incorrect")

level_5_pw_check()

$ cat dictionary.txt | python level5.py

Mod26

13

根據提示，這兩題都跟ROT13有關係，上網搜尋ROT13，發現是字母加上13後的映射關係(超過時重新繞回A)，簡單寫個程式：

# py
big = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ"
small = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"

pw = input()

for c in pw:
    if 'A' <= c <= 'Z':
        print(big[ord(c) - ord('A') + 13], end='')
    elif 'a' <= c <= 'z':
        print(small[ord(c) - ord('a') + 13], end='')
    else:
        print(c, end='')

print()

#include <iostream>
#include <string>
std::string big = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ";
std::string small = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz";

int main()
{
        std::string pw;
        std::cin >> pw;
                
        for (char c : pw)
        {
                if (c >= 'A' && c <= 'Z')
                        std::cout << big[c - 'A' + 13];
                else if (c >= 'a' && c <= 'z')
                        std::cout << small[c - 'a' + 13];
                else
                        std::cout << c;
        }
        std::cout << '\n';
        return 0;
}

(延伸思考: 有沒有哪些跟ROT13類似的加密方法?)
https://en.wikipedia.org/wiki/Base64
https://en.wikipedia.org/wiki/Caesar_cipher