Code:
at least
more hints to follow if the 10 BTC is not taken by the time I get up tomorrow.
Topic: Solve a riddle, guess a 4 char password and add 10 BTC to your xmas... SOLVED!! - page 13. (Read 13586 times)
December 25, 2012, 12:28:24 PM
Okay - I have 10 confirmations now and the BTC has not moved - so here is the first hint in regards to the line of the script that was changed:
more hints to follow if the 10 BTC is not taken by the time I get up tomorrow.
more hints to follow if the 10 BTC is not taken by the time I get up tomorrow.
December 25, 2012, 12:06:03 PM
I finally managed to shut it up! 
I'm now just checking the dictionary!
I'm now just checking the dictionary!Good stuff - first clue is coming soon (am getting tired)...
December 25, 2012, 12:03:23 PM
I have made a 1 Gb dictionary but I cant tell gpg to shut up and just check the passphrase 
it slows the whole process down
it slows the whole process downSorry am not an expert with GPG myself - but it does have a lot of options that you can't see from just the --help (try searching about that).
I finally managed to shut it up!
I'm now just checking the dictionary! December 25, 2012, 11:59:52 AM
I have made a 1 Gb dictionary but I cant tell gpg to shut up and just check the passphrase it slows the whole process down
it slows the whole process downSorry am not an expert with GPG myself - but it does have a lot of options that you can't see from just the --help (try searching about that).
December 25, 2012, 11:56:33 AM
I have made a 1 Gb dictionary but I cant tell gpg to shut up and just check the passphrase it slows the whole process down
it slows the whole process down December 25, 2012, 11:55:13 AM
Looks like 8 confirmations now - getting late here (it's midnight in Beijing) but first hint will be posted before I go to bed.
December 25, 2012, 11:47:22 AM
Fundamental thinking can solve chickens
FU/|/d@m3/\|t@l t|-|i/|/g C@/|/ $0lv3 <|-|icK3ns
FUCK is the password (the only capitolised letters)
FU/|/d@m3/\|t@l t|-|i/|/g C@/|/ $0lv3 <|-|icK3ns
FUCK is the password (the only capitolised letters)
Sure - at least I think you have got the point then.
December 25, 2012, 11:42:14 AM
BTW - 6 confirmations now (first clue coming soon)...
I already gave up, This isnt a riddle, This is scrypt math with missing variablesThis is a riddle
Thirty two white horses upon a red hill, first they stomp, then they chomp, and then they stand still, What are they?
Teeth
Fundamental thinking can solve chickens
FU/|/d@m3/\|t@l t|-|i/|/g C@/|/ $0lv3 <|-|icK3ns
FUCK is the password (the only capitolised letters)
December 25, 2012, 11:33:48 AM
BTW - 6 confirmations now (first clue coming soon)...
December 25, 2012, 11:30:29 AM
The problem is that i have nearly no idea what you want us to do!, It would appear that were supposed to collect a private key (I dont even know how to do that off by heart) by decrypting a 52^4 = 7311616 muiltiplied with the salt variants password, to get the private key wich allows us to collect the funds somehow?
This looks like not much more than a Bruting competition, Or a "write the best scrypt to crack this" competition.
I dont even know where to start!
This looks like not much more than a Bruting competition, Or a "write the best scrypt to crack this" competition.
I dont even know where to start!
Okay - the "riddle" part is to work out what I might have changed to the script that "lightly salts" the password and the "guess" is a four character password that was used before it was "lightly salted" and then hashed.
There is a point to all this (very much along the lines of a similar thread that Mike Caldwell did recently) about achieving security, although I think that my point is a little different.
Does that help at all?
December 25, 2012, 11:24:29 AM
Okay - I have sent 10 BTC to the following Bitcoin address:
1CpueVNsEWgEhGD44ymVNoksyFp9Eekec7
and the next piece of information is the private key for that address that has been GPG encrypted:
-----BEGIN PGP MESSAGE-----
-snip-
-----END PGP MESSAGE-----
Now the GPG public key and private key (encrypted of course) are as follows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-snip-
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
-snip------END PGP PRIVATE KEY BLOCK-----
Now - let me just explain that I created this GPG public/private key pair on an older laptop (that is not able to connect to the internet) running a Live OS in which I used the following script with some not so very creative changes and a 4 character password (random non-dictionary with numbers and letters both upper and lower case) with the final hash of this password being used as the password for GPG...
#!/bin/bash
read -s -p "Password: " password
password="${password}+${password}=${password}${password}@L3AsT" # NOTE: this line was changed...
password=`echo $password | sha256sum`
password=`echo $password | awk -F ' ' '{ print $1 }'`
echo $password | xclip
echo Password hash is now on the clipboard...
Santa has loaded up that address with 10 BTC (and the funds won't be being moved by myself until at least until January 3rd 2013).
Happy holidays!
1CpueVNsEWgEhGD44ymVNoksyFp9Eekec7
and the next piece of information is the private key for that address that has been GPG encrypted:
-----BEGIN PGP MESSAGE-----
-snip-
-----END PGP MESSAGE-----
Now the GPG public key and private key (encrypted of course) are as follows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-snip-
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
-snip------END PGP PRIVATE KEY BLOCK-----
Now - let me just explain that I created this GPG public/private key pair on an older laptop (that is not able to connect to the internet) running a Live OS in which I used the following script with some not so very creative changes and a 4 character password (random non-dictionary with numbers and letters both upper and lower case) with the final hash of this password being used as the password for GPG...
#!/bin/bash
read -s -p "Password: " password
password="${password}+${password}=${password}${password}@L3AsT" # NOTE: this line was changed...
password=`echo $password | sha256sum`
password=`echo $password | awk -F ' ' '{ print $1 }'`
echo $password | xclip
echo Password hash is now on the clipboard...
Santa has loaded up that address with 10 BTC (and the funds won't be being moved by myself until at least until January 3rd 2013).
Happy holidays!
The problem is that i have nearly no idea what you want us to do!, It would appear that were supposed to collect a private key (I dont even know how to do that off by heart) by decrypting a 52^4 = 7311616 muiltiplied with the salt variants password, to get the private key wich allows us to collect the funds somehow?
This looks like not much more than a Bruting competition, Or a "write the best scrypt to crack this" competition.
I dont even know where to start!
December 25, 2012, 11:10:31 AM
@_@ this is too hard i dont even..... Whaa?
What exactly is the problem (I will help out and will give hints to make it easier in time - understand that this 10 BTC is intended to be given away)?
December 25, 2012, 11:04:04 AM
@_@ this is too hard i dont even..... Whaa?
December 25, 2012, 10:47:47 AM
BTW - if anyone has managed to work out the IP address I am using here it won't help you as the only information on this computer related to this challenge is what I put in the OP.
December 25, 2012, 09:09:20 AM
Well - in the festive spirit - who cares if I made a stupid mistake - have at it anyway (10 BTC charged up)!!!
December 25, 2012, 09:07:15 AM
52^4 = 7311616 tries to guess password. Times the salt variants.
I really can't see this taking long. But I guess the salt word could be very long.
I don't have the skill set but I expect someone who's all up on HashCat can do this pretty quick.
I really can't see this taking long. But I guess the salt word could be very long.
I don't have the skill set but I expect someone who's all up on HashCat can do this pretty quick.
December 25, 2012, 08:24:43 AM
Am waiting for at least a comment from someone with some crypto skills before I load up the address - but the only likely change might be to increase the password length from 4 to 5 (in which case the Bitcoin address and GPG message holding the private key will need to be changed).
If no-one has claimed the reward within an hour of me charging up the address I will give a hint (and more will follow until it is claimed).
If no-one has claimed the reward within an hour of me charging up the address I will give a hint (and more will follow until it is claimed).
December 25, 2012, 08:13:39 AM
I got the high level idea of what is going on, just not the exact thing. To be able to recreate it I need to rewrite in in some high level programming language (I'll probably take C#) so I need to understand it.
1. read -s -p "Password: " password
What does this do?
1. read -s -p "Password: " password
What does this do?
No worries - that just lets the end-user type in a password (but so it can't be seen from the console) - this is where the 4 char password was typed.
2. password="${password}+${password}=${password}${password}@L3AsT" # NOTE: this line was changed...
Does this duplicate the key or something? So your 4 char password turns into a 8 char one? If not, what the hell does this do? (I got L3AsT is the input)
Does this duplicate the key or something? So your 4 char password turns into a 8 char one? If not, what the hell does this do? (I got L3AsT is the input)
If the password was "test" (and it isn't) then you would get:
test+test=testtest@L3AsT
4. password=`echo $password | awk -F ' ' '{ print $1 }'`
This is your AWK explanation I guess?
This is your AWK explanation I guess?
Yup - just strips out trailing crap after the actual hash.
6. Where is the salt? May be somewhere in (2)?
Indeed - the password is not being heavily salted - just lightly salted according to a little creative string manipulation.
December 25, 2012, 08:08:42 AM
I got the high level idea of what is going on, just not the exact thing. To be able to recreate it I need to rewrite in in some high level programming language (I'll probably take C#) so I need to understand it.
1. read -s -p "Password: " password
What does this do?
2. password="${password}+${password}=${password}${password}@L3AsT" # NOTE: this line was changed...
Does this duplicate the key or something? So your 4 char password turns into a 8 char one? If not, what the hell does this do? (I got L3AsT is the input)
3. password=`echo $password | sha256sum`
This one I got
4. password=`echo $password | awk -F ' ' '{ print $1 }'`
This is your AWK explanation I guess?
5. echo $password | xclip
This copies it to the clipboard (so useless for me)
6. Where is the salt? May be somewhere in (2)?
1. read -s -p "Password: " password
What does this do?
2. password="${password}+${password}=${password}${password}@L3AsT" # NOTE: this line was changed...
Does this duplicate the key or something? So your 4 char password turns into a 8 char one? If not, what the hell does this do? (I got L3AsT is the input)
3. password=`echo $password | sha256sum`
This one I got
4. password=`echo $password | awk -F ' ' '{ print $1 }'`
This is your AWK explanation I guess?
5. echo $password | xclip
This copies it to the clipboard (so useless for me)
6. Where is the salt? May be somewhere in (2)?
December 25, 2012, 08:00:56 AM
Could you please comment your code (script)?
The one comment is the only part that was changed - but what exactly else can I help explain about it?
(it just adds some salt to a password then SHA256 hashes it and puts that hash onto the X clipboard - if you're wondering about the AWK bit that is just to get rid of the trailing " -" from sha256sum)
Jump to: