timed 3 - quick question

just wanted to know if the wordlist changes in timed 3…

i.e. can i just download the wordlist then find the md5 hashes and compare them to the given one? or do i have to convert the words at runtime?

It doesn't change, but getting all the hashes would be little time consuming, don't you think. Just encrypt all the passwords and compare theme to the give one… Dunno what language are you using, but in code bank you can find pel scripts I used to solve those

Yeah, without being too language specific, you can either convert the hash the wordlist, then use that in your program, or have it all built in, but make sure to hash all the words before you make the request for the page, it saves time.

well to be honest im using c++ but i have no idea how to interact with webpages :ninja: , but i wrote a program already that hashed the wordlist into a new file. so using that file im trying to write a PHP script.

I was thinking of using two arrays and one index counter. then just strcmp() the hasharray[i] and the one on the webpage and then using that index to get the plaintext. (i'm really new to PHP so i couldnt be bothered with associative arrays :( ). Having never used PHP before, do you think will this be efficient enough to find the plain text in the time limit?

ps. i wrote the c++ program to output PHP array declarations… so i have a PHP script with two 100 element arrays in it. So all the hard work is already done!

sorry im really bad at explaining stuff :(

If you're using PHP try setting up an associative array for looking up a hash. So, before you connect to the webserver, open the wordlist and generate a hash for each word, using the hash as the key for each word in the associative array.

Then, later on when you're accessing the page, all you have to do is grab the hash, look it up in the associative array and post the answer.

PS. If you need help with associative arrays check out this guide, it is NOT as hard as you may think it is. Just consider them an array using a string as the index, rather than a integer. http://phpjournal.blogspot.com/2004/11/php-associative-arrays.html

Just hash up the whole wordlist before yous rtart, dump it in an array first, and then make the pull fromt he site, then you only need to compare the hash and pull it from an array.

Depending on what language you're in you can optimise this lookup process to varying degrees.

Im sure richo will back me up here, python makes this dead easy, using a dictionary data structure, you can create entries in the format plaintext:hash, so you can compare the hashes and retrieve the plaintext with no hashing during the timed part. Im sure PHP has a similar data type. I'd give that a go.

gl

edit - By the looks of it those 'associative arrays' are the equivalent for PHP.

That's it, jj.

Anyway, yeah, either approach will work.

I can't attest to it, but i'm told that a mixture of urllib2 and cookiejar makes this easy.

I decided to be a smartass and wrote my own http retriever, it was faster.

Yeah I used urllib2 and cookiejar and once I wrote the request framework, I reused it for all the timed challenges. Naturally if you're not a python wizard like richo you wont be writing your own libraries :p. Would be interested to see them though richo, any chance of posting them on ure freewebs/code bank/PMing them to me?

cheers

allright, thanks for the help guys. will let you know how it goes…

B)

Wait, you were supposed to hash the wordlist first and then compare? :D I added a MD5 function to my JavaScript when I did that challenge.

All I gotta say is: "Dont look now your momma's got her boobs out. Showin everybody in town"-Rodney carrington. lol, man when it doesnt make sense take a break. So chill out and let the answer come.

okay so forgive my lack of focus :P but i,m now writing it in greasemonkey and ive written it all and it works fine…but heres the thing. how the f**k do you search a webpage as if its a string in javascript? Thats the only part missing and then i can actually do all 4 challenges….

yeah so: can some one help me?

ps. me no likey python :P, beautifulsoup! say what?

edit - okay! so noone know how one may handle a website as a string?

What kind of hash is it?

Right now i md5.new, md5.update, and md5.digest, throw it all in a dictionary, and compare, but md5 sums have no alphanumeric characters, including null bytes, but these are just alphanumeric, am i doing the correct hash

Thanks

>>> from hashlib import md5
>>> md5('SwartMumba').hexdigest()
'b55a71963c5a1eed3dcd00f54576b80c'
>>> print 'or'
or
>>> import md5
>>> md5.new('SwartMumba').hexdigest()
'b55a71963c5a1eed3dcd00f54576b80c'
>>> 'b55a71963c5a1eed3dcd00f54576b80c'=='b55a71963c5a1eed3dcd00f54576b80c'
True
>>> 

hah, added three characters 'hex' to my code and I got it on my first run.

I also got lucky with my internet speed and managed to get timed 1 in time.

K_I_N_G wrote: All I gotta say is: "Dont look now your momma's got her boobs out. Showin everybody in town"-Rodney carrington. lol, man when it doesnt make sense take a break. So chill out and let the answer come. Thats curious why is your joined date and rank reversed?