mountain (web)

We are given a website that implements basic login and register functionalities. I don’t have any screenshots, but this challenge is:

  1. Register an account using an email with the domain
  2. Get a randomly generated password on the webpage
  3. Get the verification code from the email to verify the account
  4. After verifying the account, login to get flag

Since nobody would own a email, there would be no real way to get the verification code via email. However, the challenge provides the code used to generate the password and verification code.

function genpassverify($length = 10) {
$verify_code = mt_rand(1000000000,9999999999);
$acc_passwd = mt_rand();
return $acc_passwd.':'.$verify_code;

Here we see that the both the verification code and password are generated with the mt_rand function. Mersenne Twister is not a cryptographically secure RNG.

The verification code is used as the seed (mt_srand) to generate the password. Since we are already given the password, we just need to find the seed that makes mt_rand return this password.

And there’s a PHP mt_rand cracker that can be found at openwall/php_mt_seed.


First, I registered for an account, and got this:

Success! Hello noob3, your password is: 992416798
You need to activate your account first. Check your email for activation/verification link.

The link might look something like:

Then, I ran the cracker with my password:

$ ./php_mt_seed 992416798
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0x8c000000 - 0x8fffffff, speed 8699.3 Mseeds/s
seed = 0x8e119748 = 2383517512 (PHP 3.0.7 to 5.2.0)
seed = 0x8e119749 = 2383517513 (PHP 3.0.7 to 5.2.0)
Found 2, trying 0xfc000000 - 0xffffffff, speed 8289.9 Mseeds/s
Version: 5.2.1+
Found 2, trying 0xd4000000 - 0xd5ffffff, speed 80.7 Mseeds/s
seed = 0xd43450a0 = 3560198304 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xd43450a0 = 3560198304 (PHP 7.1.0+)
Found 4, trying 0xfe000000 - 0xffffffff, speed 80.0 Mseeds/s
Found 4

Then I verified my password at And finally logged in to get flag.

Success! Logged in. Keep this somewhere safe.