Time to take a break from CTFing and browse some forums instead!


When we visit the link, we encounter a forum website. Since the registration is closed and we cannot create a new account, I decided to visit the threads on the forum.

First, I found a thread as “I found this weird thing in the forum database” which is created by DipMarmalade56, who is one of the Site Admins. The post contains the following:

Now, we have the sha256 hashes of user passwords from the database. Let’s continue viewing other threads.

There is another thread as “How do you come up with new passwords?” and this thread contains some suggestions from Site Admins. Let’s look at their suggestions one by one.

DipMarmalade56 says:

ShortenedSoap says:

xXelephantgumXx says:

Also, their signatures say that each admin has a part of the flag. The first, second, and third part of the flag are belong to DipMarmalade56, xXelephantgumXx, and ShortenedSoap respectively.

In order to get the whole flag, we need to crack these 3 Site Admin’s passwords. Let’s start with DipMarmalade56 since he has the first part.

This one is quite simple. We just need a list of common American names. I just merged 300 popular male names and 300 popular female names to create a list of common names and applied a wordlist attack.

Here is the script for the first part:

Let’s run the script and crack password.

After logining into forum as DipMarmalade56, we get the first part of the flag.

Let’s move on to our second target, xXelephantgumXx.

This guy picks sentences from song lyrics and pick the first letter of each word as his passwords. We know that he is a huge fan of Disturbed. I decided to write a script that crawls a lyrics website to find all song lyrics of Disturbed. However, the page I visited didn’t show the whole list of songs until I scrolled down on the browser. Instead of trying to solve this issue in the code, I decided to save the fully loaded html page on my computer.

Now, the hardest part is detecting sentences, because lyrics generally does not contain punctuations. Therefore, I first tried creating passwords from each line. Then, I tried creating passwords from every two lines. Finally, I tried creating passwords from every three lines and it worked.

Here is the script for this part:

Let’s execute the script to get the password of xXelephantgumXx.

Let’s login and get the second part of the flag.

Now, we are moving on to the final part.

We know that our last target picks random words and changes one letter to a digit, then append a random symbolic character. We can simply find a list of English words. Then, we can create rules for hashcat to perform the attack. I used this list for the challenge.

Here is the python script I used to create changeLetter.rule file:

Next, I used maskprocessor to create appendSymbol.rule file:

Let’s run hashcat and get the password.

Finally, we can login into forum as ShortenedSoap and get the last part of the flag.

The flag is SaF{2b5a62e80b_Awoke_To_Discover_My_Passwords’_Been_Cracked_72faca30}.