WhiteHacks 2025 | Brute-Force

Challenge: Brute-Force
Category: Web
Description: A mysterious website has been discovered, but it seems like access is restricted. Rumors say that an account is hidden behind a weak password. If you manage to log in, you might find something interesting… or maybe "There's still nothing here!"

Can you break through all the layers of security and uncover the hidden flag?

Solution:
On first look, the website says nothing here as shown below.
However, we can get a clue from the challenge name itself, that the challenge is likely something to do with bruteforce with a login system (“rumors say that an account is hidden behind a weak password”) Hence, we can test out the /login endpoint.

This will bring us to the login page. As it is more expected for bruteforce to be conducted on passwords, I tried to dig for some details on a possible username we need to use and found it pretty quickly on the source code.

I then use a common and popular wordlist rockyou.txt and python requests to bruteforce the password. The code I used for this is just by replacing the password key through reading ‘rockyou.txt’ and repeatedly replacing the password with it and sending a request to the server as shown below.

This will give us a result of the password ‘cassandra’ and a page that will say ‘There’s still nothing here’. I was originally extremely confused and didn’t even notice the difference in words of the original page as it will redirect you to the page you started from (the default page). But then re-reading the challenge description, it says that we will find something interesting or there’s still nothing here which means it is an expected result. I thought all the work was in vain until I saw a small thing on the website. The text on the webpage has a link to it upon clicking on.

After getting motivated for being back on track, I unzipped the file to find three things, FLAG.7z, password and seasoning.

Where FLAG.7z likely stores the flag, password storing a SHA512 hash with a missing hash, identifiable through its header ‘$6$’ and seasoning which I guessed is storing the salt of the hash.

Password: $6$<missing_salt>$.3OhkCi1koz065p9geRlUbjTY0XoBAKbLZyMq3GQ7pqF8r4UrFJet2YCug64Nur4u3Hs8VN1lyXp8FnlYSJVk0

My next first instinct is to put it in aperisolve but I couldn’t find anything (perhaps I was kinda blind) then I switched to just finding the details of the image, which is just exiftool if I’m not wrong. The authors section really looks suspicious because it’s not a normal author and the size looks like it could potentially be the salt and hence I tried it out.

I gave $6$4NAxfS9jXr6w6U8R$.3OhkCi1koz065p9geRlUbjTY0XoBAKbLZyMq3GQ7pqF8r4UrFJet2YCug64Nur4u3Hs8VN1lyXp8FnlYSJVk0 to my crypto teamate for some decrypting assistance and got ‘sage123‘ which I used as the password to decrypt the zip file and got the flag.

Flag: WH2025{That_Wa5_3azy}