Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Programming Riddle/Challenge (Timestamp/HMAC)

  1. Jul 24, 2011 #1
    I'm doing an online "hacking" challenge and I'm trying to get to the next level.

    On the current level, we're given the Caption "Think fast", asked the following question,

    "What is element x in the Fibonacci sequence, where element zero is 0?"

    Where x is randomly generated.

    When I compute the answer and submit it, it prompts me with another itteration of the question above (with a different value for x) and it says "Didn't answer fast enough". I've tried submitting answers as fast as I can with no avail, so there must be another way.

    If we view the source code of the page, we see the following:
    (I'm only going to post the portion I think is interesting/relevant)

    Code (Text):
    <form action="herecomes9.php" method="get">
      <input type="text" name="answer" />
      <input type="hidden" name="timestamp" value="1311528704" />
      <input type="hidden" name="number" value="274" />
      <input type="hidden" name="hmac" value="6d423e4405ceb79022662fbf5d1d2885c51b6ada2ad5e99500a3fbc4d0170b4fd9c7fd22af9a7e542617a5924586ca7e41860e17289120d1a899f1bcac007df3" />
      <input type="submit" value="Answer" />
    So my next idea was to edit the timestamp by changing the information contained in the url, like so

    (Just an example to explain my doing, may not match answer, timestamp, hmac listed above in code)

    http ://www.skullspace.net/2011/08-batman/herecomes9.php?answer=1&timestamp=1&number=1&hmac=e41bd1f9093a67b70ce9316b19abc1862ec35c5c0f746444d8018286bf19d9adb05a652c46b5de53b2d4fd6bfb2c1f848c8dc92a54e84d042953d6b48b30b0f9

    If I submit that into my browser, we are given the caption, "Don't try to be clever, the HMAC has to match the parameters you were given."

    This is where I'm stuck.

    Does anyone have any ideas or hints as to how I can proceed to the next level? Can I somehow make the HMAC match? Is there another way entirely?

    Thanks for the ideas/input/help!
  2. jcsd
  3. Jul 24, 2011 #2


    User Avatar
    Gold Member

    Not particularly my area of expertise, but if you haven't already maybe try and calculate a new HMAC hash using your new timestamp and the number as the key? Based on the length maybe it's HMAC-SHA512?
  4. Jul 25, 2011 #3
    How do I go about calculating the new HMAC hash, using the timestamp and number?
    Last edited: Jul 25, 2011
  5. Jul 25, 2011 #4


    User Avatar
    Gold Member

    The Wikipedia article has links to some implementations, as well as descriptions: http://en.wikipedia.org/wiki/HMAC

    I've never personally played around with HMACs before.
  6. Jul 25, 2011 #5


    User Avatar
    Gold Member

    This should do an HMAC with SHA-512 in Python:
    Code (Text):

    [B][COLOR="DarkOrange"]import[/COLOR][/B] hashlib
    [B][COLOR="DarkOrange"]import[/COLOR][/B] hmac

    key = [COLOR="SeaGreen"]'the string that is your key'[/COLOR]
    msg = [COLOR="SeaGreen"]'the string that is your message'[/COLOR]

    [B][COLOR="DarkOrange"]print[/COLOR][/B](hmac.new(key, msg, hashlib.sha512).hexdigest())
    I'm not sure what they're suing as the parameters for their HMAC. You'll want to play around with the answer, timestamp, and number.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook