Phone Lock

Web - 50 Points

I forgot my phone password, can you help me unlock it? (Don’t judge, happens to us all)

Writeup

For this challenge we got a web page with a number lock resembling a phone pad. A quick look to the page source returns some interesting functions…

salt="a7274495d5e26749f2421c90c045a8a1";
valid="69b476f2868891b082e2ad7a309f6fc1";
//md5(salt+answer)

function buttonClick(e)
{
	if (locked) return false;
	var t=$("#result");
	t.val(t.val()+"X");
	result+=e.target.text;
	if (t.val().length>=4)
	{
		if (md5(salt+result)==valid)
		{
			alert("Flag is: "+md5(salt+result+result));
		}
	}
}

We then just used hashcat to retrieve the original combination :) All we needed to do was setting the right params.

./hashcat-cli64.bin -m 20 -a 3 --outfile=testresult.txt --outfile-format=3 -1 ?d ./input.txt ?d?d?d?d

#  -m, Hash-type, 20 = md5($salt.$pass)
#  -a, Attack-mode, 3 = Brute-force
#  --outfile-format=NUM, Define outfile-format for recovered hash, 3 = hash[:salt]:plain

The flag here vary (time-dependent).