Little quiz and bruteforce

Little quiz and bruteforce

Friend is in college, studying Computer Science. His professor from Programming Classes gives a little quizes 24 hours before big tests.

So I tried one quiz and succeeded in less than 2 hours. Yey!

Description of the quiz

There is 7z archive packed using password.

The starting password was:


But, to not things be too easy, the password was hashed/encrypted/encoded by these five functions:

  • SHA1
  • ROT13
  • BASE64
  • MD5
  • SHA3 (Keccak) (256bit)

It was encoded five times, but you need to guess an order and which functions were used. Some of them might not be used at all.

5 functions, random order, random usage – so we need permutations with repeated items.

What to do?

As I counted, its only 3905 possibilities, so we can hack this using brute-force.

First, lets write function which checks if password is correct:

function checkPassword($password, $file) {
    exec('7z e -y -p'.$password.' '.$file, $output);
    if(!strstr($output[6], 'Wrong password')) {
        return true;
    return false;

It will run 7z program via shell, and check if we don’t have Wrong password message on line 6. I tested it with my own packed archive.7z (I have used password AAA, you can check it in repo).

Okey then, lets find some usefull code for our permutations, I found it on Google

function permutations($arr,$n)
    $res = array();
    foreach ($arr as $w)
        if ($n==1) $res[] = $w;
            $perms = permutations($arr,$n-1);
            foreach ($perms as $p)
                $res[] = $w." ".$p;
    return $res;

function get_all_permutations($words=array())
    $r = array();
        $r = array_merge(permutations($words,$i),$r);
    return $r;

It just works so I won’t go into details.

We have all available permutations in an array now which looks like this:

base64_encode sha1 str_rot13 md5 sha3
str_rot13 base64_encode sha1 md5 sha3
base64_encode str_rot13 sha1 md5 sha3
sha1 str_rot13 md5 base64_encode sha3
str_rot13 sha1 md5 base64_encode base64_encode

So, we need helper function which will encode our starting password with provided functions:

function hashPassword($funcs, $password) {
    $ff = explode(' ', $funcs);
    foreach($ff AS $function) {
        if($function == 'sha3') {
            $password = call_user_func($function, $password, 256);
        } else {
            $password = call_user_func($function, $password);
    return $password;

As you can see, for SHA3 I used special parameter to say that I need only 256bit password. (as quiz said)

Then, we just need to put everything into foreach statement!

$file = './Kolokwium2013.7z';
$password = '6DWHPPmVJ2X4WayJFxmAGJf8';

$hashingFunctions = array('sha1', 'str_rot13', 'base64_encode', 'md5', 'sha3');

echo 'Let\'s start'."\n";
$permutations = get_all_permutations($hashingFunctions);
echo 'Available combinations: '.count($permutations).''."\n";
$i = 0;
foreach($permutations AS $funcs) {
    $hashedPass = hashPassword($funcs, $password);
    if(checkPassword($hashedPass, $file)) {
        echo $i.': Correct password: '.$hashedPass."\n";
        echo 'Functions used in this order: '.$permutations[$i]."\n";
    } else {
        echo $i.': Checked "'.$hashedPass.'"'."\n";

And after 20 minutes on my MacBook I got that permutation 2234 was correct one and functions used were

base64_encode str_rot13 md5 sha1 sha3

As you can easily check, correct password is:



It was nice fun to play with it, unfortunatelly I haven’t helped anyone.

All sources are available on GitHub