The page asks for a username and files to be downloaded. Dowloading the flag is not allowed.
Submitting the form leads to another page with a download link and the password for the generated zip file. The generated files are all stored within the /tmp folder. Apache allows indexes on this folder so sorting the contents by last modified shows Santa-data.zip and phpinfo.php from October.
data = ["az8aK9eeLCz8", "a97xqbLet7ST", "mXP5yai7XPhT", "8aSA2B7LA7ZL", "pm8S4T5QrJgX", "3pKeVidjKExs", "qtd9XZ6xdCL3", "RmpZigCseLZX", "RHmLVdjhRTsL", "BhE8bqC7bGem", "QRfq3ueKbmBV", "9zAWHBYcxa6S", "4VFCPc5MBJ5B", "ku65AbCDVeJW", "wpDuRYZ3Yu89", "sKy9ZubXcxjk", "LiEhhJE9Bcv9", "rAvtpSDxgPsP", "WS2zUAKKwBM7", "VfTD5EmETAeC", "8wMfAbmdM3vL", "eDekq2xswSHR", "8rdhRdpM9qcu", "p2g7XzcLcusF", "WsiAVmFQfRcy"]
chrs = ""
for s in data:
for c in s:
if not c in chrs:
chrs += c
print("".join(sorted(chrs)))
print(len("".join(sorted(chrs))))
data = ["az8aK9eeLCz8", "a97xqbLet7ST", "mXP5yai7XPhT", "8aSA2B7LA7ZL", "pm8S4T5QrJgX", "3pKeVidjKExs", "qtd9XZ6xdCL3", "RmpZigCseLZX", "RHmLVdjhRTsL", "BhE8bqC7bGem", "QRfq3ueKbmBV", "9zAWHBYcxa6S", "4VFCPc5MBJ5B", "ku65AbCDVeJW", "wpDuRYZ3Yu89", "sKy9ZubXcxjk", "LiEhhJE9Bcv9", "rAvtpSDxgPsP", "WS2zUAKKwBM7", "VfTD5EmETAeC", "8wMfAbmdM3vL", "eDekq2xswSHR", "8rdhRdpM9qcu", "p2g7XzcLcusF", "WsiAVmFQfRcy"]
chrs = ""
for s in data:
for c in s:
if not c in chrs:
chrs += c
print("".join(sorted(chrs)))
print(len("".join(sorted(chrs))))
After that I wrote a small c++ program to generate a wordlist containing all passwords generated using the mt19937 algorithm (used by php) with rising seed.
After that i used zip2john to extract a hash for Santa’s zip archive and used john the ripper to bruteforce the hash using the wordlist just generated. After some time john returned Kwmq3Sqmc5sA as password for the zip file.
Decrypting the zip file and extracting the flag.txt returns the flag: HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}.