🏳️
Bag of Flags
  • Home
  • 2023
    • 🅿️picoCTF 2023
      • money-ware
      • repetitions
      • two-sum
      • ReadMyCert
      • rotation
      • hideme
      • PcapPoisoning
      • who is it
      • Reverse
      • timer
      • Safe Opener 2
      • findme
      • MatchTheRegex
      • SOAP
    • 🐦magpieCTF 2023
      • Space Plan
      • Space Exploration
      • So Meta
      • There is no flag
      • Momma says to play fair
      • Rubis
      • What is the password?
      • Eavesdropper
      • Shredded
      • Missing Flag
      • This outta be large enough right?
      • No Password Here
      • Chocolate Chips with Zero-G
      • Education Comes First
    • 🌴ISSessions CTF 2023
      • Basic Permissions
      • Crack Me
      • File Detective
      • Word Vomit
      • Fileception
      • Coding Time
      • Ghost File
      • CryptoTools1
      • CryptoTools2
      • 1337
      • ROT++
      • RunedMyDay
      • RSA_2
      • The Man Who Sold the World
      • VaultChallenge
      • Lost Media
      • Decontamination
      • Decade Capsule
      • Password in A Haystack
  • 2022
    • 🏁UW CTF S22
      • 0s and 1s
      • simple image
      • Helikopter
      • Meow
      • Google Form
      • Strings, literally
      • WASM
      • Audio
      • Pwn0
      • YATD
      • steg
      • Passwords
      • Vitalik
  • Practice
    • 🧠CryptoHack
      • Introduction
        • Finding Flags
        • Great Snakes
      • General
        • ASCII
        • Hex
        • Base64
        • Bytes and Big Integers
        • XOR Starter
        • XOR Properties
        • Favourite byte
        • You either know, XOR you don't
        • Greatest Common Divisor
Powered by GitBook
On this page
  1. 2023
  2. ISSessions CTF 2023

Password in A Haystack

PreviousDecade CapsuleNextUW CTF S22

Last updated 2 years ago

One of our Time Machine developers decided to change their password manager. Unfortunately, during the exporting process, it seems the program messed up and didn't include the usernames and sites for each password. Now, they're locked out of the company GitHub and have too many passwords to reasonably check. All they remember is that it followed corporate policy. Can you help them recover their password?

Needle

We have credential_export.txt, a list of 25000 possible passwords, and PasswordPolicy.pdf

The most notable part of the PDF is this table:

Let us filter the passwords using these rules

  • cat credential_export.txt | grep -v ' ' > nospace

  • cat nospace | grep -v ',' > nocomma

  • cat nocomma | grep '^(.[^A-Za-z0-9]){3,}.$' > special

  • cat special | grep '^(.[A-Z]){4,}.$' > capital

  • cat capital | grep '^(.[a-z]){4,}.$' > lower

  • cat lower | grep '^.{25,33}$' > length

  • cat length | grep '^.[0-9].$' > number

We end up with a single password g72$89Hsu(!haHasi-zx89yJKn218sH(

🌴