DEF CON CTF Qualifier 2013 3dub 4 Writeup

The webpage is like this

Admin Files

Login Here

You can view the usernames.txt

and the URL is

Guessing that the accesscode is one kind of hash of username.txt, after test, we can see

MD5 ("usernames.txt") = 60635c6862d44e8ac17dc5e144c66539

Then we can view other things in this site by building the valid URL

By this way, we can see the getfile.php

Acces granted to getfile.php!

$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!";

if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
echo nl2br($data);

echo "File does not exist";
echo "File does not exist";

echo "Invalid access code";

And there is a key.txt can view by this URL

the context is

Acces granted to key.txt!


the encrypt process can be seen in the getfile.php

So the way to solve this porblem is refresh the

and write a native phpfile having

echo time();

so you will see a time, you should set it as a seed to generate the $key.

At that time, I got the encrypt key is


and the time is 1371387200

We should search +-1000 around 1371387200.

So I write this piece of code

$i = 1;
while($i < 2000) 
    $value = 1371387200-1000+$i;
    $data = "TEu4LOi+D8CU/+fjK6RUj3CnBuqjfTYA8IgWPNXFEV3R1bDvGLwDA3+1Ew9tdrFqbjonjRUebZBXFL6LdP69wQ==";
    $data = base64_decode($data);
    $key = rand();
    $plaintext = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
    echo $plaintext;

run it in your own computer and use Command + f or Ctrl + f to find

The key is

You will see the key~