Skip to content


Using the have i been pwned? API we wrote a program that will check every password hash provided and check how many times a certain password was compromised. After processing all the hashes, the program will check the most compromised hash and return the that hash and the number of times compromised.

The program is this:

import requests

# Read passwords hashes file
file = open("FL1R0jbn", "r")
lines = file.readlines()

hashes = []
# Strips the newline character 
for line in lines: 

host = ""
pwnedTimes = []
for hash in hashes:
    response = requests.get(f'{host}{hash[:5]}')
    foundHashesSuffixes = response.content.splitlines()
    found = False
    for foundHashSuffix in foundHashesSuffixes:
        if(hash[5:] in foundHashSuffix.decode()):
            print(f"Hash found! --> {hash}")
            num = foundHashSuffix.decode().split(':')[1]
            found = True
    if not found:

maxValue = max(pwnedTimes)
maxValueIndex = pwnedTimes.index(maxValue)
print(f'The most compromised password was compromised {maxValue} times')
print(f'The password hash is {hashes[maxValueIndex]}')

The output was:

Hash found! --> C2577430D91716490DC5D33C20D901E008B696E7
The most compromised password was compromised 55001 times
The password hash is C2577430D91716490DC5D33C20D901E008B696E7

Using crackstation we got the plain text password: ncc1701 Therefore, the flag is: