Cookies (75 pts)

Solved by: sardinachanx, zookham

Problem:

My mom put a password on the cookie jar :(

Will you help me get a cookie?

Files:

cookie.jar

Hint:

She left something in the code for debugging purposes... maybe that will help?

Solution:

The .jar extension led us to use a java decompiler to recover the .java files. Reading the code yielded this interesting snippet -

private String url = "http://problems1.2016q1.sctf.io:25565/?";
...
MessageDigest digest = new MessageDigest.getInstance("MD5");
byte[] arr = digest.digest(new String(this.passwordField1.getPassword()).getBytes("UTF-8"));
String md5 = new BigInteger(1, arr).toString(16);
System.out.println(md5);
String answer = "fdf87a05e2169b88a8db5a1ebc15fa50";
if(md5.equals(answer)) {
  System.out.println("success! it's working!");
}

So we have the MD5 hash of the answer! Putting it into an MD5 database online gives us the password, "thisisaverystrongpassword". We then opened the jar and submitted the password and that gave us the flag.

FLAG: sctf{g3t_y0ur_h4nd_0ut_0f_my_c00k13_j4r!}