The previous TFI Challenge was a bonus one. It means it’s not one of the basics that are linked by an explicit URL.
This second challenge can be found on a page where one of the main characters in this amazing story hacks a gun. Basic challenges are related to hacking actions or strategies developed by the group of hackers we’re following in the comic.
When you follow that URL, you’ll find a code to redeem, instructions to connect remotely to a console using netcat, and the source code of the script that manages that console.
The console gives you three options:
- Activate the special mode of the gun
- Get admin privileges
- Exit
By reading the code, you can tell it was written by a rookie developer, because it includes the encrypted password and decodes it to compare it with the user input.
You should never do that. Storing passwords in code is wrong, and being able to decrypt a password is also a mistake — you should use non-reversible algorithms.
To solve this challenge, you just need to write a script or start an interactive Python session to decode the encrypted password the same way the original script does.
With that password, you can connect to the remote console and follow the instructions to catch the flag. Easy peasy.
See you in the next challenge.
