Crack the hash

Crack the hashTryHackMe

LEVEL 1

Crack:

48bb6e862e54f2a795ffc4e541caed4d

• Since this 32 characters long and only uses hexadecimal characters, it's a good sign that this is an older hash. I'm guessing MD5

• I run the following to crack the hash:

hashcat -m 0 48bb6e862e54f2a795ffc4e541caed4d rockyou.txt

• This resulted in a succesful crack of the hash.

• I used the following to display the answer:

hashcat -m 0 48bb6e862e54f2a795ffc4e541caed4d rockyou.txt --show

• This will display:

48bb6e862e54f2a795ffc4e541caed4d:easy

Crack:

CBFDAC6008F9CAB4083784CBD1874F76618D2A97

• This hash is 40 characters utilizing hexadecimal characters.

• A quick Google search shows it is most likely a hex-encoded hash value.

• These tend to be older SHA hashing methods.

• Fun fact, if you type the following, hashcat will attempt to determine the possible hashing algorithm use.

hashcat [hash]

• Let's assume for now it is SHA1 meaning the flag -m will be set to 100:

hashcat -m 100 CBFDAC6008F9CAB4083784CBD1874F76618D2A97 [Path to Wordlist]

• If successful, hashcat should be able to crack it. Next, run the following to see the solution:

hashcat -m 100 CBFDAC6008F9CAB4083784CBD1874F76618D2A97 [Path to Wordlist] --show

Crack:

1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

• This hash appears to be a 64 character hexadecimal. Let's run it through hashcat to see what type it thinks it is.

hashcat 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

• 
• Looks like it's most likely SHA2-256, which has -m flag = 1400. We'll start with this one and work our way down if we have to.

hashcat -m 1400 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 [Path to Wordlist]

• Looks like it worked, run the following to see the unhashed text.

hashcat -m 1400 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 [Path to Wordlist] --show

• 

Crack:

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

• This one is interesting in that it is 60 characters which also looks to include Base-64 Encoded. Let's plug it into hashcat and see what it kicks back.

hashcat $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

• Looks like it's not going to be that easy.

• Let's do some googling to see what pops up.

• Some quick google searching leads me to the possibility that this hash is most likely a product of the bcrypt algorithm.

  • After being hashed it was base64 encoded. So let's go ahead and start by decrypting the hash first from base64.

  • Let's start by updating the host machine:

sudo apt update

sudo apt upgrade

• Next is to install base64 encoder/decoder if it is not already installed on your host machine.

sudo apt install base64

• Once installed run the following:

echo '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' | base64 -d

• Unfortunately, that kicked back nothing.

• Let's head back to hashcat and see if we can dig up bcrypt in its list.

• 

• Let's give the first one a try with a -m flag of 3200. I had to first create a txt file that I put the hash into called hash.txt.

hashcat -m 3200 hash.txt [Path to Wordlist]

• I waited for about 15min and wasn't getting anywhere. When reviewing the material, it appears that this hash is extremely resource intensive and running it through the rockyou list would take a long time. I will instead try to set it up a rule to only use 4 characters since I can see on tryhackme that that is how long the cracked hash is.

• Two ways to do this. The first is by setting a rule with hashcat and running a bruteforce attack.

hashcat -a 3 -m 3200 hash.txt ?l?l?l?l

• However, this will still take a really long time to crack. Therefore, the second option is to filter the rockyou wordlist for only passwords that are 4 characters long.

grep -E '^.{4}$' rockyou.txt > rockyou_4.txt

• This will filter out all passwords with 4 characters and create a new password list with just those characters. Then try cracking the hash with your new password list.

• Save the hash to its own txt file and use that when cracking. This still took a few minutes but kicked back the following:

• 

Crack:

279412f945939ba78ce0758d3fd83daa

• This next one appears to be 32 characters and hexadecimal.

hashcat 279412f945939ba78ce0758d3fd83daa

• To speed things up I know from the question prompt that the answer is 10 characters long. Therefore, let's filter the rockyou.txt file to only the 10 character passwords.

grep -E '^.{10}$' rockyou.txt > rockyou_10.txt

• Let's start at the top of the list and see what we get:

hashcat -m 900 hash.txt rockyou_10.txt

• Doesn't look like it is MD4 so I'll try the other ones out.

• I tried the others but it doesn't look like anything is popping up. I decided to check out an online Hash Identifier which stated that it is an MD4 hash which should line up.

• I'm going to try to a brute force attack since I'm assuming it is MD4. I'm adding a rule to only use passwords with 10 characters.

hashcat -a 3 -m 900 hash.txt ?l?l?l?l?l?l?l?l?l?l

• Okay that was dumb. If we assume the password is base64 and the password is 10 characters that would mean 64^10 which will take forever for my computer to crack.

• Time to take a look at a hint, which was not helpful in the slightest because all it tells me is MD4 which I'm already using.

• I'm going to back up and just run hashcat with the entire rockyou list and see what happens

hashcat -m 900 hash.txt rockyou.txt

• I feel dumb. When I went to go search online to see what the hash was, it also game me the cracked hash.

• 

LEVEL 2

Crack

F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

• Start by running the hash through hashcat to see what algorithm was used.

• 
• Looks like it is most likely using SHA2-256 which has a -m flag of 1400

hashcat -m 1400 F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 rockyou.txt

Crack

1DFECA0C002AE40B8619ECF94819CC1B

• This hash is 32 characters and uses hexadecimal. I'm going to assume it is MD4 but will run it through hashcat to see.

• 
• Looks like it isn't MD4 or MD5. I ran it through an online engine to see what the algorithm is and it is kicking back that it is NTLM which has -m flag value of 1000

• 

Crack

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

Salt:

aReallyHardSalt

• I first started by seeing if hashcat recognized the hashing but no luck.

• I then put into a website to identify that hashing and got this back.

• 

Crack

e5d8870e5bdd26602cab8dbe07a942c8669e56d6

Salt:

tryhackme

• I started by running it through hashcat to identify it.

• 
• Since they have given me a salt I'm going to assume it is one of the hashes that includes a salt.

• This one took me a little while. I was bouncing around trying to find the correct algorithm.

• Eventually I looked at the hint for the question that pointed me towards HMAC-SHA1

• I did a quick search of the help menu for this:

hashcat --help | grep SHA1

• Looks like the -m flag value will be 160 since we have a salt.

• Therefore, I ran the following:

hashcat -m 160 -a 0 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme [Path to wordlist]

• This resulted in the password of 481616481616

•