Write-up of the challenge “Guessing – So Basic” of Nuit du Hack 2016 Wargame
The weekend of 02-03 july 2016 is the WARGAME of the Nuit du Hack 2016 as a Jeopardy CTF. Having had the opportunity and the time to participate with some colleagues and friends, here’s a write-up resolution of the challenges which we could participate.
- Category: Guessing
- Name: So Basic
- Description : Mister Julien Ducul has a dog named Rex, his dog is 5 years old and so he wanna make a fancy website in order to mahe this birthday special. Unfortunately, he is not able to remember the credentials he has configured on the website.
- URL : 172.16.1.51
- Points : 50
tl;dr : Login : jducul – Password rex2011 (the dog is 5 years old)
For this challenge, a simple attempt to access “http://172.16.1.51” asked a login and password. According to the title of the challenge, we concluded that authentication is a “Basic Authentication”, generated via a simple “.htaccess” and “.htpasswd” for example.
The category of the challenge, type “guessing” also informs that its resolution will go through various tests and judicious assumptions.
Let’s analyze the statement:
- The creator of the protected website is called “Julien Ducul”. And the login is certainly first name, last name, or a combination of both.
- This gentleman has a dog “Rex”. It is not uncommon that people put the name of their pet as a password.
- Other information of interest: the dog is 5 years old! Thus, he was born in 2011 :)!
Just do some tests with logins / password potential …
Series of logins:
julien Julien ducul Ducul julien.ducul Julien.Ducul jducul
Series of passwords:
Rex rex 2011Rex 2011rex Rex2011 rex2011
And the right combinaison :
- Login : jducul
- Password : rex2011
From there, a “flag.txt” file is available, containing the flag.
guessing basic authN
Flag : ndh2k16_68a3fhosqahxdxc
Thank you to all the team of the NDH2K16 for this event and for the whole organization!
Greeting to nj8, St0rn, Emiya, Mido, downgrade, Ryuk@n and rikelm, ? // Gr3etZ
