Here i am writing my first (hope of many) Write up for the infamous Crack The Hashes CTF. Notice that most of the work here could have been done with Crackstation, but i preferred to go for hashcat for a better dive into the tool’s capabilities.
Also, for the ease of use i copied both my hashes & my password-lists on the Desktop folder, so, if you’re using different locations you will have to change that accordingly!
Let’s start:
Tools:
- hashcat
- https://www.tunnelsup.com/hash-analyzer/
- https://crackstation.net/
- https://www.onlinehashcrack.com/hash-identification.php
Task 1.1:
Hash: 48bb6e862e54f2a795ffc4e541caed4d
Let’s try to identify it with hash-analyzer (tool2):
Ok, MD5 or MD4, let’s go with hashcat — help | grep md5
As you can see grepping md5 resolves with ($pass.$salt), but we have no salt here, so i tried to grep MD5 instead in search of a better result and there it is! Raw Hash, that’s what we’re looking for, let’s go for it with hashcat -m 0 (-m beeing the mod switch):
There it is! easy!
Password: easy
Task 1.2:
Again, we’ll begin with hash-analyzer:
Then we’ll proceed to find the good mode match grepping hashcat — help for SHA1:
Seems a good start, Raw Hash unless we have a salt:
There again we found it:
Password: password123
Task 1.3:
same as always:
Password: letmein
Let’s go! next one!
Task 1.4:
Mmm, that looks odd, Bcrypt? God please no! Bcrypt with a cost of 12?? This is going to go just bad! Let’s look at the hints this time:
Ok, so a little rest here, not Bcrypt, but what then???
I must confess, i spent more than 2 days on this task, let me explain:
- I tried everything, every format other than Bcrypt that starts with b, no success! WTF TryHackMe?
- I asked mods on TryHackMe Discord about this and yeah, the hint is missleading 100% they’re on their way to fix it.
- Finally I tried Bcrypt, let’s see how it went:
WHAT??? 3 days? nono, that can’t be correct, let me tune my VM and then..:
I need o speed it up! let’s add a total of 20 CPUs to my VM, workload profile pushed to nightmare with -w 4, attack mode -a 0, device switch -D 1,2!
Let’s run my final ultra tuned 20 CPUs hashcat script (DO NOT RUN IT ON YOUR PC, IT MAY MELT! seriously)
hashcat -a 0 -D 1,2 -w 4 -m 3200 hash.txt rockyou.txt (again do not run)
LOL, 2 days & 12 hours. Not Good!
I must confess that i run this script for 1 day 19 hours before being able to crack this, and my PC wasn’t happy about it at all! Also, due to the fact that i have a very good cooling system and a very good processor, I was able to run this script without destroying my computer. BUT, this might not be the case on yours so be very careful on what you do!
So, how do we solve this task?
Here’s how, let’s start by cheating a bit and assume we know the length of the password (we do know, but yeah, this feels a lot like cheating to me), and that we know rockyou.txt contains our password. (i actually know it, it costed me 2 years of my CPU’s life expectancy).
We know our password is 4 character long, let’s extract every 4 character long word from rockyou.txt:
we’ll be doing this by catting rockyou.txt and piping it into grep -E ‘^.{4}’ in order to extract all and only the lines that contain a 4 character long word, then we proceed to create a new file containing all these words:
cat rockyou.txt | grep -E ‘^.{4}’ > shortenedrockyou.txt
ok now, let’s use this new file as our password-list:
Wow! See? from more than 2 day, to just a few minutes! Let’s wait for it to finish:
Here it is! bleh ! F*** Y** M***** F*****!!!
Password: bleh
sorry, sorry… keep it civil. OK! TASK 1.4 DONE!!!
Task 1.5:
back to the routine:
Again both MD5 or MD4
Let’s try MD5 first:
Exausted, that’s a no. Now MD4 just to be sure:
Again, no. We’re now pretty sure that rockyou.txt doesn’t contain our password. Let my try with a custom list:
Oh, found, but this is a custom list, how can we reproduce it? Let’s try some OSINT, Crackstation:
Heh!! here it is, a lot of work just to learn something new!
Password: Eternity22
LEVEL 2!
Task 2.1:
Here, an easy one:
Password: paule
Task 2.2:
ok, here’s a tricky one:
MD5, MD4, which one? None of them. Try them both on your own but for the sake of the purpose we’ll move on. Let’s look at the hint:
NTLM, grep it!
And go!
Password: n63umy8lkf4i
Task 2.3:
another tricky one:
Unknown Hash, mmm… move to a different site to see if we can get it:
MMM, better now, back to the routine:
here we have 3 possible candidates, but the one looking better seems to be the last (notice the $6$??), let’s try -m 1800:
there we go,
Password: waka99
Task 2.4:
Again a tricky one, wasted an enormous amount of time with it, so in order to help you i will leave here the right format for the hash, nano it into your file:
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
SHA1? After trying everything it just doesn’t seem right. I suggest to you to go on and try it yourself but for the sake of the purpose let’s look at the hint:
OK, go on:
Got it!
Password: 481616481616
Hope you find something helpful here! Seeya!
