Password Check


We have a list of password hashes from De Monne Financial. For the most part, their users use pretty secure passwords. Check the list and see if any of these password hashes have been compromised using external sources. Submit the count of the hash that has been the most compromised along with the actual password. Submit the flag as flag{#_password}.

Link to List


Based on the challenge description the first “external source” that came to mind that could provide a “count of the hash that has been the most compromised” was Troy Hunt’s Have I Been Pwned service, specifically his Pwned Passwords. Troy provides a search service that will tell you how many times a provided password has been observed in his compromised credentials dataset.

import requests

with open('hashes.txt') as f:
    hashes = {str(line.rstrip('\n')).upper(): 0 for line in f}

for hash in hashes:
    r = requests.get(f'{hash[:5]}')

    if r.status_code == 200:
        hits = r.text.splitlines()
        found = [i for i, data in enumerate(hits) if hash[5:] in data]
        if found:
            hashes[hash] = int(hits[found[0]].split(':')[1])
        print("{r.status_code} {r.reason}")

max_compromised = max(hashes, key=hashes.get)
print(f"{hashes[max_compromised]} {max_compromised}")

The script takes a couple minutes to complete but eventually outputs the hash with greatest “compromised count”, along with the count value.

$ python3

55001 C2577430D91716490DC5D33C20D901E008B696E7

A quick Google search for the hash provides me the plaintext password, ncc1701, making the completed flag, flag{55001_ncc1701}.



Leave a comment