Skip to main content

Crack the hash writeup [thm]

pic

Cracking hashes challenges

Crack the hash is an easy challenge from THM. This time the challenge is at least somewhat related to crypto1, yay! Every elite hax0r must know how to crack them hashes so I thought it would be a good idea to brush up my skills on this topic.

Level 1

Can you complete the level 1 tasks by cracking the hashes?

48bb6e862e54f2a795ffc4e541caed4d

This looks like a plain old MD5. We could try to crack it locally on our machine using CPU/GPU power but it's a lot faster and simpler to use an online service such as CrackStation.

We just submit the hash and prove that we are not a robot and we get:

Hash                              Type  Result
48bb6e862e54f2a795ffc4e541caed4d  md5   easy

(this is the only answer provided in this post)

CBFDAC6008F9CAB4083784CBD1874F76618D2A97"

A hash is just a string of characters and before we even can attempt to crack it we must know what algorithm was used to produce the hash. This is not always obvious and there are many, many different hashing algorithms in use out there.

We can use various tools to help us identify hashes. For this particular challenge I used hashID but in hindsight I should maybe have used hash-identifier instead but I couldn't remember the name of it at the time. 🙃

There are also some adequate online tools well suited for this task.

Let's analyze CBFDAC6008F9CAB4083784CBD1874F76618D2A97 with hashID:

$: hashid "CBFDAC6008F9CAB4083784CBD1874F76618D2A97"
Analyzing 'CBFDAC6008F9CAB4083784CBD1874F76618D2A97'
[+] SHA-1 
[+] Double SHA-1 
[+] RIPEMD-160 
[+] Haval-160 
[+] Tiger-160 
[+] HAS-160 
[+] LinkedIn 
[+] Skein-256(160) 
[+] Skein-512(160) 

It's most likely SHA-1 which is supported by CrackStation so let's give that a shot:

CrackStation: Hash Type Result CBFDAC6008F9CAB4083784CBD1874F76618D2A97 sha1 [REDACTED]

1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

My knee jerk guess would be SHA-256. Let's see:

$: hashid "1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032"
Analyzing '1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032'
[+] Snefru-256 
[+] SHA-256 
[+] RIPEMD-256 
[+] Haval-256 
[+] GOST R 34.11-94 
[+] GOST CryptoPro S-Box 
[+] SHA3-256 
[+] Skein-256 
[+] Skein-512(256) 

It's probably SHA-256.

Back to CrackStation:

Hash                                                             Type   Result
1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 sha256 [REDACTED]

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

My guess is bccrypt.

$: hashid "\$2y\$12\$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom"
Analyzing '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom'
[+] Blowfish(OpenBSD) 
[+] Woltlab Burning Board 4.x 
[+] bcrypt 

Maybe it's bcrypt, maybe not?

Hint:

A lot of tools will attempt to identify this as bcrypt and, well, that's not exactly right. Bcrypt is often cited (at this time) as being very difficult to crack. Try some other formats that start with the letter b, you'll see them in the suggested hash types

So it's probably Blowfish then.

To crack this hash I used OnlineHashCrack.com which lets you submit hashes and they test them against some lists and sends you an email if they find something, if not you can pay them hard cash to try harder.

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr
71EeNkJkUlypTsgbX1H68wsRom  bcrypt  Normal  Found   4   [REDACTED]

279412f945939ba78ce0758d3fd83daa

This is slightly harder.

$: hashid "279412f945939ba78ce0758d3fd83daa"
Analyzing '279412f945939ba78ce0758d3fd83daa'
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 

It could be any of the above. Let's have a look at the hint provided for this question

Hint:

md4

Alright, that makes it easy!

CrackStation:

Hash                                Type    Result
279412f945939ba78ce0758d3fd83daa    md4     [REDACTED]

Level 2

This task increases the difficulty. All of the answers will be in the classic rock you password list.

You might have to start using hashcat here and not online tools. It might also be handy to look at some example hashes on hashcats page.

I'm not very good with hashcat but let's give it a try.

F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

$: hashid "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85"
Analyzing 'F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85'
[+] Snefru-256 
[+] SHA-256 
[+] RIPEMD-256 
[+] Haval-256 
[+] GOST R 34.11-94 
[+] GOST CryptoPro S-Box 
[+] SHA3-256 
[+] Skein-256 
[+] Skein-512(256) 

My guess it that it's probably SHA-256. Under this assumption we look up the Hash-Mode code of SHA-256 on hashcats example page where we find that:

sha-256 hashcat Hash-Mode = 1400

Then we run:

$: hashcat -a 0 -m 1400 "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85" /usr/share/wordlists/rockyou.txt

The full output is too long to paste in here but some of the more interesting stuff:

Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA2-256
Hash.Target......: f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f...2d0c85
Time.Started.....: Sun May  9 22:10:31 2021 (0 secs)
Time.Estimated...: Sun May  9 22:10:31 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   213.0 kH/s (0.42ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 79872/14344385 (0.56%)
Rejected.........: 0/79872 (0.00%)
Restore.Point....: 77824/14344385 (0.54%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: superm -> Bulldog

Started: Sun May  9 22:10:03 2021
Stopped: Sun May  9 22:10:33 2021

It took about 30 seconds on my Kali VM running on my old crusty host machine.

To get the desired result we run:

$: hashcat -a 0 -m 1400 "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85" --show
f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f640fccc2d0c85:[REDACTED]

1DFECA0C002AE40B8619ECF94819CC1B

$: hashid "1DFECA0C002AE40B8619ECF94819CC1B"
Analyzing '1DFECA0C002AE40B8619ECF94819CC1B'
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 

We need a hint.

Hint:

NTLM

NTLM has Hash Mode code 1000 so we run:

$: hashcat -a 0 -m 1000 "1DFECA0C002AE40B8619ECF94819CC1B" /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

Session..........: hashcat
Status...........: Cracked
Hash.Name........: NTLM
Hash.Target......: 1dfeca0c002ae40b8619ecf94819cc1b
Time.Started.....: Sun May  9 22:21:14 2021 (2 secs)
Time.Estimated...: Sun May  9 22:21:16 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3618.6 kH/s (0.16ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5240832/14344385 (36.54%)
Rejected.........: 0/5240832 (0.00%)
Restore.Point....: 5238784/14344385 (36.52%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: n6ri2fdkgm9y -> n36873687

Started: Sun May  9 22:21:12 2021
Stopped: Sun May  9 22:21:17 2021

To cash in:

$: hashcat -a 0 -m 1000 "1DFECA0C002AE40B8619ECF94819CC1B" --show
1dfeca0c002ae40b8619ecf94819cc1b:[REDACTED]

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Salt: aReallyHardSalt

Rounds: 5

$: hashid "\$6\$aReallyHardSalt\$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02."
Analyzing '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.'
[+] SHA-512 Crypt 

We look up the necessary hashcat info:

    1800    sha512crypt $6$, SHA512 (Unix) 2

... and run hashcat on to try to crack the hash against rockyou:

$: hashcat -m 1800 sha512crypt_hash /usr/share/wordlists/rockyou.txt --show

Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPM...ZAs02.
Time.Started.....: Sun May  9 22:50:57 2021 (1 hour, 1 min)
Time.Estimated...: Sun May  9 23:52:18 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      780 H/s (8.28ms) @ Accel:16 Loops:1024 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2831936/14344385 (19.74%)
Rejected.........: 0/2831936 (0.00%)
Restore.Point....: 2831904/14344385 (19.74%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4096-5000
Candidates.#1....: wakabachan -> wak3Board

Started: Sun May  9 22:50:56 2021
Stopped: Sun May  9 23:52:19 2021

This took quite some time to terminate on my computer.

Then:

$: hashcat -m 1800 sha512crypt_hash --show
$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.:[REDACTED]

e5d8870e5bdd26602cab8dbe07a942c8669e56d6

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6

Salt: tryhackme

$: hashid "e5d8870e5bdd26602cab8dbe07a942c8669e56d6"
Analyzing 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6'
[+] SHA-1 
[+] Double SHA-1 
[+] RIPEMD-160 
[+] Haval-160 
[+] Tiger-160 
[+] HAS-160 
[+] LinkedIn 
[+] Skein-256(160) 
[+] Skein-512(160) 

So this is probably some form of SHA-1.

Hint:

HMAC-SHA1

Create a file named sha1hmac_hash with the contents:

e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme

HMAC-SHA1 has Hash-Mode 160 so we run:

$: hashcat -m 160 sha1hmac_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Session..........: hashcat
Status...........: Cracked
Hash.Name........: HMAC-SHA1 (key = $salt)
Hash.Target......: e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
Time.Started.....: Mon May 10 00:45:33 2021 (6 secs)
Time.Estimated...: Mon May 10 00:45:39 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2253.1 kH/s (0.62ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12314624/14344385 (85.85%)
Rejected.........: 0/12314624 (0.00%)
Restore.Point....: 12312576/14344385 (85.84%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 48162450 -> 481101133

Started: Mon May 10 00:45:11 2021
Stopped: Mon May 10 00:45:39 2021

I was lucky and got the HMAC-SHA1 formatting right on the first try.

$: hashcat -m 160 sha1hmac_hash --show
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme:[REDACTED]

Conclusion

I think this was a fun challenge. Easy but fun. It would have been great if it ended with you having to crack some really obscure hash with weird parameters but you can't get everything.

It's good to be able to immediately recognize some of the more common hashes and likewise one should be comfortable with using at least the basic functionality of hashcat or john.

Hashing challenges are interesting since you have to use common sense but also be willing to take some chances. If your cracking attempt has been running for an hour you might have stumbled into a dead end but it might also return the result the next minute. You can't be sure. Some different hashing algorithms outputs similar formatted strings which can get you into trouble if you try to crack the hash using the wrong algorithm. It's an interesting topic I just wish I had more computing power on my hands.

One obvious takeaway: don't try to crack hashes in a virtual machine (running on an old computer). It might work in a challenge like this where the hashes are designed to be easily cracked but doing this in the real world is not a good idea.


  1. “Crypto” means cryptography. Not that other thing.