Phone Lock

Web - 50 Points

I forgot my phone password, can you help me unlock it? (Don’t judge, happens to us all)

Writeup

For this challenge we got a web page with a number lock resembling a phone pad. A quick look to the page source returns some interesting functions…

salt="a7274495d5e26749f2421c90c045a8a1";
valid="69b476f2868891b082e2ad7a309f6fc1";
//md5(salt+answer)

function buttonClick(e)
{
if (locked) return false;
var t=$("#result");
t.val(t.val()+"X");
result+=e.target.text;
if (t.val().length>=4)
{
if (md5(salt+result)==valid)
{
alert("Flag is: "+md5(salt+result+result));
}
}
}

We then just used hashcat to retrieve the original combination :) All we needed to do was setting the right params.

./hashcat-cli64.bin -m 20 -a 3 --outfile=testresult.txt --outfile-format=3 -1 ?d ./input.txt ?d?d?d?d

# -m, Hash-type, 20 = md5($salt.$pass)
# -a, Attack-mode, 3 = Brute-force
# --outfile-format=NUM, Define outfile-format for recovered hash, 3 = hash[:salt]:plain

The flag here vary (time-dependent).