Codemash CTF - 15 - P.A.L.M. Login
Hint
15 - P.A.L.M. Login ™
Folks at HOBO Authentication Systems implemented a new authentication system named P.A.L.M. Login
Prove that you can break it and find a pair of username and passcode to log on.
Approach
The login page contains a button and two inputs. When you put in text and hit the login button you get the text of nope
.
Looking at the javascript for the button click takes us to a function that does the following:
function checkEntries() {
var u = document.getElementById('puser').value;
var p = document.getElementById('ppass').value;
var used = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
var ok = false;
if (u === 'cavs') {
if (p > 0 && p.length == 10) {
ok = true;
for (i = 1; i <= 10; i++) {
var digit = p.charAt(i - 1);
var part = p.substring(0, i);
if (used[digit] != 0 || part % i != 0) {
ok = false
}
if (used[digit] == 0) {
used[digit] = 1
}
}
}
}
if (ok) {
document.location.href = 'palm_' + u + '_' + p + '.html'
} else {
alert('nope')
}
}
Looking at the code, the username needs to be cavs
and the password is a 10 digit number.
I started writing a brute force algorithm and trying to figure out the number that way, but I decided to see what I could find about the properties of the number.
It is a 10 digit number, where every digit is only used once and the first N digits must be divisible by N.
Plugging those requirements into google yield lots of results.
Our number is 3816547290. Put that in the form and it takes you a page named
palm_cavs_3816547290.html
With the text of:
Congrats!
cm18-zbIc-O4Zh-gmxl-r5J6