tompohl/gist:35b23357444dcb8b2d876a8b025ee0bb

## gistfile1.txt
First, a quick cyber chef to fix the event log:

https://gchq.github.io/CyberChef/#recipe=%5B%7B%22op%22%3A%22From%20Hex%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22To%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22Find%20%2F%20Replace%22%2C%22args%22%3A%5B%7B%22option%22%3A%22Regex%22%2C%22string%22%3A%22%201%22%7D%2C%22%200%22%2Ctrue%2Cfalse%2Ctrue%5D%7D%2C%7B%22op%22%3A%22From%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%5D&input=N2IgMGEgMjAgYTAgMjIgNjUgNzYgZTUKNmUgNzQgMjIgYmEgMjAgMjIgNzAgZTEKNzMgNzMgNzcgZWYgNzIgNjQgNWYgZTMKNjggNjEgNmUgZTcgNjUgMjIgMmMgOGEKMjAgMjAgMjIgZjUgNzMgNjUgNzIgZWUKNjEgNmQgNjUgYTIgM2EgMjAgMjIgZTIKNjMgNmYgNmMgZWMgNjkgNmUgMjIgYWMKMGEgMjAgMjAgYTIgNmYgNmMgNjQgZGYKNzAgNjEgNzMgZjMgNzcgNmYgNzIgZTQKMjIgM2EgMjAgYTIgM2EgNWMgNzggYzMKMzcgNWMgNzggYzYgMzQgNWMgNmUgZGMKNzggNDEgNDYgYTkgMjkgMzcgNDMgZGMKNzggMzEgMzUgZGMgNzggNDQgMzAgZGMKNzggNDYgMzMgZGMgNzggNDQgNDUgZTkKNTUgM2IgMjIgYWMgMGEgMjAgMjAgYTIKNmUgNjUgNzcgZGYgNzAgNjEgNzMgZjMKNzcgNmYgNzIgZTQgMjIgM2EgMjAgYTIKMzkgNWMgNzggYzYgNDEgNWMgNzggYjkKMzkgNWMgNzggYzMgNDEgNWMgNzggYzUKNDQgNWMgNzggYzYgMzIgNTggNTMgYzcKNWMgNzggNDQgYzQgMmQgNWMgNzggYzMKMzIgNWMgNzggYjggNDUgN2EgNDggZWIKMjIgMmMgMGEgYTAgMjAgMjIgNzQgZTkKNmQgNjUgNzMgZjQgNjEgNmQgNzAgYTIKM2EgMjAgMzEgYjUgMzAgMzEgMzggYjUKMzggMzggMzYgYjAgMzAgMzAgMzAgOGEKN2QgMGEK

I basically convert the hex to binary, see that all the characters that I *know* what they should be have their first bit set to 1, so just flip those to 0 and convert to ascii.

Now that we have the event log:
{
  "event": "password_change",
  "username": "bcollin",
  "old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
  "new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
  "timestamp": 1501858860000
}

We need to convert the old_password and new_password into hashes:
old_password becomes: 3AC7F40AAF2929374315D0F3DE69553B
new_password becomes: 39FA99CAEDF2585347DD2DC28E7A486B

Because this is a CTF and I love banging my head on the wall until it bleeds, eventually when I read "reverse both passwords" I take it literally and convert:
old_password: B35596ED3F0D5134739292FAA04F7CA3
new_password: B684A7E82CD2DD7435852FDEAC99AF93

Using the #1 CTF tool (google) we come up with the old password as a md5x2 (double md5): p4ssw0rd
http://md5decoder.org/2a9d119df47ff993b662a8ef36f9ea20

Seeing that google doesn't know the new_password, we have to resort to other methods:
I find a great little perl script dict2hash.pl:
http://hashcat.net/misc/dict2hash.pl

Put the reversed hash in pass and issue:
perl dict2hash.pl < /root/rockyou.txt | john --format=raw-md5 --stdin pass
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
5990027d60d655641fb35b1e3dca9e75 (?)
1g 0:00:00:00  1.234g/s 952562p/s 952562c/s 952562C/s ca69e33cf44cb58fe4f0db962f3a0fa1..00f1e6b149a1d3d5e6071f2e5b71a8cc
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Naow google can crack the hash 5990027d60d655641fb35b1e3dca9e75 to come up with the final answer: thisiscrazy

Thanks for the challenge!
-Tom
	First, a quick cyber chef to fix the event log:

	https://gchq.github.io/CyberChef/#recipe=%5B%7B%22op%22%3A%22From%20Hex%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22To%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%2C%7B%22op%22%3A%22Find%20%2F%20Replace%22%2C%22args%22%3A%5B%7B%22option%22%3A%22Regex%22%2C%22string%22%3A%22%201%22%7D%2C%22%200%22%2Ctrue%2Cfalse%2Ctrue%5D%7D%2C%7B%22op%22%3A%22From%20Binary%22%2C%22args%22%3A%5B%22Space%22%5D%7D%5D&input=N2IgMGEgMjAgYTAgMjIgNjUgNzYgZTUKNmUgNzQgMjIgYmEgMjAgMjIgNzAgZTEKNzMgNzMgNzcgZWYgNzIgNjQgNWYgZTMKNjggNjEgNmUgZTcgNjUgMjIgMmMgOGEKMjAgMjAgMjIgZjUgNzMgNjUgNzIgZWUKNjEgNmQgNjUgYTIgM2EgMjAgMjIgZTIKNjMgNmYgNmMgZWMgNjkgNmUgMjIgYWMKMGEgMjAgMjAgYTIgNmYgNmMgNjQgZGYKNzAgNjEgNzMgZjMgNzcgNmYgNzIgZTQKMjIgM2EgMjAgYTIgM2EgNWMgNzggYzMKMzcgNWMgNzggYzYgMzQgNWMgNmUgZGMKNzggNDEgNDYgYTkgMjkgMzcgNDMgZGMKNzggMzEgMzUgZGMgNzggNDQgMzAgZGMKNzggNDYgMzMgZGMgNzggNDQgNDUgZTkKNTUgM2IgMjIgYWMgMGEgMjAgMjAgYTIKNmUgNjUgNzcgZGYgNzAgNjEgNzMgZjMKNzcgNmYgNzIgZTQgMjIgM2EgMjAgYTIKMzkgNWMgNzggYzYgNDEgNWMgNzggYjkKMzkgNWMgNzggYzMgNDEgNWMgNzggYzUKNDQgNWMgNzggYzYgMzIgNTggNTMgYzcKNWMgNzggNDQgYzQgMmQgNWMgNzggYzMKMzIgNWMgNzggYjggNDUgN2EgNDggZWIKMjIgMmMgMGEgYTAgMjAgMjIgNzQgZTkKNmQgNjUgNzMgZjQgNjEgNmQgNzAgYTIKM2EgMjAgMzEgYjUgMzAgMzEgMzggYjUKMzggMzggMzYgYjAgMzAgMzAgMzAgOGEKN2QgMGEK

	I basically convert the hex to binary, see that all the characters that I know what they should be have their first bit set to 1, so just flip those to 0 and convert to ascii.

	Now that we have the event log:
	{
	"event": "password_change",
	"username": "bcollin",
	"old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;",
	"new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk",
	"timestamp": 1501858860000
	}

	We need to convert the old_password and new_password into hashes:
	old_password becomes: 3AC7F40AAF2929374315D0F3DE69553B
	new_password becomes: 39FA99CAEDF2585347DD2DC28E7A486B

	Because this is a CTF and I love banging my head on the wall until it bleeds, eventually when I read "reverse both passwords" I take it literally and convert:
	old_password: B35596ED3F0D5134739292FAA04F7CA3
	new_password: B684A7E82CD2DD7435852FDEAC99AF93

	Using the #1 CTF tool (google) we come up with the old password as a md5x2 (double md5): p4ssw0rd
	http://md5decoder.org/2a9d119df47ff993b662a8ef36f9ea20

	Seeing that google doesn't know the new_password, we have to resort to other methods:
	I find a great little perl script dict2hash.pl:
	http://hashcat.net/misc/dict2hash.pl

	Put the reversed hash in pass and issue:
	perl dict2hash.pl < /root/rockyou.txt \| john --format=raw-md5 --stdin pass
	Using default input encoding: UTF-8
	Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
	Press Ctrl-C to abort, or send SIGUSR1 to john process for status
	5990027d60d655641fb35b1e3dca9e75 (?)
	1g 0:00:00:00 1.234g/s 952562p/s 952562c/s 952562C/s ca69e33cf44cb58fe4f0db962f3a0fa1..00f1e6b149a1d3d5e6071f2e5b71a8cc
	Use the "--show" option to display all of the cracked passwords reliably
	Session completed

	Naow google can crack the hash 5990027d60d655641fb35b1e3dca9e75 to come up with the final answer: thisiscrazy

	Thanks for the challenge!
	-Tom