Created
November 23, 2017 04:20
-
-
Save tompohl/35b23357444dcb8b2d876a8b025ee0bb to your computer and use it in GitHub Desktop.
Reversing the password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
First, a quick cyber chef to fix the event log: | |
https://gchq.github.io/CyberChef/#recipe=%5B%7B%22op%22%3A%22From%20Hex%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22To%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22Find%20%2F%20Replace%22%2C%22args%22%3A%5B%7B%22option%22%3A%22Regex%22%2C%22string%22%3A%22%201%22%7D%2C%22%200%22%2Ctrue%2Cfalse%2Ctrue%5D%7D%2C%7B%22op%22%3A%22From%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%5D&input=N2IgMGEgMjAgYTAgMjIgNjUgNzYgZTUKNmUgNzQgMjIgYmEgMjAgMjIgNzAgZTEKNzMgNzMgNzcgZWYgNzIgNjQgNWYgZTMKNjggNjEgNmUgZTcgNjUgMjIgMmMgOGEKMjAgMjAgMjIgZjUgNzMgNjUgNzIgZWUKNjEgNmQgNjUgYTIgM2EgMjAgMjIgZTIKNjMgNmYgNmMgZWMgNjkgNmUgMjIgYWMKMGEgMjAgMjAgYTIgNmYgNmMgNjQgZGYKNzAgNjEgNzMgZjMgNzcgNmYgNzIgZTQKMjIgM2EgMjAgYTIgM2EgNWMgNzggYzMKMzcgNWMgNzggYzYgMzQgNWMgNmUgZGMKNzggNDEgNDYgYTkgMjkgMzcgNDMgZGMKNzggMzEgMzUgZGMgNzggNDQgMzAgZGMKNzggNDYgMzMgZGMgNzggNDQgNDUgZTkKNTUgM2IgMjIgYWMgMGEgMjAgMjAgYTIKNmUgNjUgNzcgZGYgNzAgNjEgNzMgZjMKNzcgNmYgNzIgZTQgMjIgM2EgMjAgYTIKMzkgNWMgNzggYzYgNDEgNWMgNzggYjkKMzkgNWMgNzggYzMgNDEgNWMgNzggYzUKNDQgNWMgNzggYzYgMzIgNTggNTMgYzcKNWMgNzggNDQgYzQgMmQgNWMgNzggYzMKMzIgNWMgNzggYjggNDUgN2EgNDggZWIKMjIgMmMgMGEgYTAgMjAgMjIgNzQgZTkKNmQgNjUgNzMgZjQgNjEgNmQgNzAgYTIKM2EgMjAgMzEgYjUgMzAgMzEgMzggYjUKMzggMzggMzYgYjAgMzAgMzAgMzAgOGEKN2QgMGEK | |
I basically convert the hex to binary, see that all the characters that I *know* what they should be have their first bit set to 1, so just flip those to 0 and convert to ascii. | |
Now that we have the event log: | |
{ | |
"event": "password_change", | |
"username": "bcollin", | |
"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;", | |
"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk", | |
"timestamp": 1501858860000 | |
} | |
We need to convert the old_password and new_password into hashes: | |
old_password becomes: 3AC7F40AAF2929374315D0F3DE69553B | |
new_password becomes: 39FA99CAEDF2585347DD2DC28E7A486B | |
Because this is a CTF and I love banging my head on the wall until it bleeds, eventually when I read "reverse both passwords" I take it literally and convert: | |
old_password: B35596ED3F0D5134739292FAA04F7CA3 | |
new_password: B684A7E82CD2DD7435852FDEAC99AF93 | |
Using the #1 CTF tool (google) we come up with the old password as a md5x2 (double md5): p4ssw0rd | |
http://md5decoder.org/2a9d119df47ff993b662a8ef36f9ea20 | |
Seeing that google doesn't know the new_password, we have to resort to other methods: | |
I find a great little perl script dict2hash.pl: | |
http://hashcat.net/misc/dict2hash.pl | |
Put the reversed hash in pass and issue: | |
perl dict2hash.pl < /root/rockyou.txt | john --format=raw-md5 --stdin pass | |
Using default input encoding: UTF-8 | |
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3]) | |
Press Ctrl-C to abort, or send SIGUSR1 to john process for status | |
5990027d60d655641fb35b1e3dca9e75 (?) | |
1g 0:00:00:00 1.234g/s 952562p/s 952562c/s 952562C/s ca69e33cf44cb58fe4f0db962f3a0fa1..00f1e6b149a1d3d5e6071f2e5b71a8cc | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed | |
Naow google can crack the hash 5990027d60d655641fb35b1e3dca9e75 to come up with the final answer: thisiscrazy | |
Thanks for the challenge! | |
-Tom |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment