TryHackMe - Crack the hash - Write Up
I guess we have two goals to solve the first task. Identify the hash algo and crask it.
There great cli tools like hash-id or online tools like Cyberchef to help us identify - or at least - limit the possible hash aglos.
Task 1
Task 1.1
>> 48bb6e862e54f2a795ffc4e541caed4d
Save hash to file root@ip-10-10-192-12:~# echo 48bb6e862e54f2a795ffc4e541caed4d > hash1.txt
Using hashid to check for possible algos:
root@ip-10-10-192-12:~# hashid hash1.txt --File 'hash1.txt'-- Analyzing '48bb6e862e54f2a795ffc4e541caed4d' [+] MD2 [+] MD5 [+] MD4 [+] Double MD5 [+] LM [+] RIPEMD-128 [+] Haval-128 [...]
hashid suggests it could be MD5, so we are going with it for our first example.
To crack the hash, we are going to use hashcat.
hashcat [options] hashfile [mask|wordfiles|directories]
hashcat --hash-type=0 --attack-mode=0 ./hash1.txt /usr/share/wordlists/rockyou.txt
We choose --hash-type=0 for MD5 and --attack-mode=0 as we use a simple wordlist. Information can be found in the hashcat manual.
hashcat --help
[...]
Hash types
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
[...]
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
9 | Association
[...]
Result
* Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 2 secs 48bb6e862e54f2a795ffc4e541caed4d:**** <<<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Name........: MD5 Hash.Target......: 48bb6e862e54f2a795ffc4e541caed4d
Task 1.2
>> CBFDAC6008F9CAB4083784CBD1874F76618D2A97
I'd assume SHA-1 and we are going with it.
root@ip-10-10-192-12:~# echo CBFDAC6008F9CAB4083784CBD1874F76618D2A97 > hash2.txt
hashcat --hash-type=100 --attack-mode=0 ./hash2.txt /usr/share/wordlists/rockyou.txt
--hash-type=100 for SHA-1.
And we got a hit!
Result
[...] Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 cbfdac6008f9cab4083784cbd1874f76618d2a97:*********** <<<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Name........: SHA1 Hash.Target......: cbfdac6008f9cab4083784cbd1874f76618d2a97 [...]
Task 1.3
>> 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032
I'd assume SHA-256. Let us repeat the process. Hint SHA-256 is using SHA2, which is important to find the algo in the list.
hashcat --help | grep -i sha2- 1300 | SHA2-224 | Raw Hash 1400 | SHA2-256 | Raw Hash 10800 | SHA2-384 | Raw Hash [...]
Create hash file:
root@ip-10-10-192-12:~# echo 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 > hash3.txt
Start hashcat
hashcat --hash-type=1400 --attack-mode=0 ./hash3.txt /usr/share/wordlists/rockyou.txt
Result
[...] Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032:******* <<<<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Name........: SHA2-256 Hash.Target......: 1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc94668...b63032 Time.Started.....: Wed Feb 14 20:42:32 2024 (0 secs) [...]
Task 1.4
>> $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom
The tools to identify hashes had some problems with it but using the hashcat reference list helped us:
3200 bcrypt $2*$, Blowfish (Unix) $2a$05$LhayLxezLhK1LhWvKxCyLOj0j1u.Kj0jZ0pEmm134uzrQlFvQJLF6
hashcat --help | grep -i bcrypt 3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
Create hash file:
echo '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' > hash4.txt
Note Added single quotes to work with $ and echo.
hashcat --hash-type=3200 --attack-mode=0 ./hash4.txt /usr/share/wordlists/rockyou.txt
So, bcrypt blowfish is a hash function that takes time on purpose. It makes it difficult to crack as you need time or a lot of resources. I've switch to my main machine as the AttackBox of THM would take a while to hash it. hashcat -I to check the device ID of my GPU and add it to our command with -d IDoftheFGPU to speed things up:
Result
[...] $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom:**** <<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) [...]
Task 1.5
>> 279412f945939ba78ce0758d3fd83daa
So, it could be MD5 again, but that would be too easy, no?
Save hash to file:
echo 279412f945939ba78ce0758d3fd83daa > hash5.txt
I got through MD5 and MD4 and no success. I've changed my approach and looked into the wordlist. After some reading decided to use a toggle-attack to modify the casing of the words used. hashcat can do it with rules. Example rules can be found on Github and Explanation on their official Wiki.
Download rule and save as file:
curl https://raw.githubusercontent.com/hashcat/hashcat/master/rules/toggles2.rule > toggle2.rule
toggle2 modifies the first 2 letters.
We can use the -r flag to choose the rule. Let us start with MD5:
hashcat --hash-type=0 --attack-mode=0 ./hash5.txt /usr/share/wordlists/rockyou.txt -r toggle2.rule
No success! - Let us continue with MD4 - hash-type 900:
hashcat --hash-type=900 --attack-mode=0 ./hash5.txt /usr/share/wordlists/rockyou.txt -r toggle2.rule
Success! - Result:
[...] Dictionary cache hit: * Filename..: ./rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 1721326080 279412f945939ba78ce0758d3fd83daa:****** <<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Mode........: 900 (MD4) Hash.Target......: 279412f945939ba78ce0758d3fd83daa [...]
Not gonna lie, took me while to figure it out.
Task 2
Task 2.1
>> F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85
Similar to the previous one, SHA256 according to the tools
Save hash to file:
echo F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 > hash6.txt
Run hashcat:
hashcat --hash-type=1400 --attack-mode=0 ./hash6.txt /usr/share/wordlists/rockyou.txt
Result
Dictionary cache hit: * Filename..: ./rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f640fccc2d0c85:***** <<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Mode........: 1400 (SHA2-256) Hash.Target......: f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f...2d0c85
Task 2.2
>> 1DFECA0C002AE40B8619ECF94819CC1B
MD4 or MD5 - rinse and repeat.
Save hash to file:
echo 1DFECA0C002AE40B8619ECF94819CC1B > hash7.txt
Run hashcast for MD5:
hashcat --hash-type=0 --attack-mode=0 ./hash7.txt /usr/share/wordlists/rockyou.txt
No success with MD5, MD4 and any toggle-attack. I've learned that you can run hashcat without a hash-type and it will make suggestions.
`hashcat --attack-mode=0 ./hash7.txt /usr/share/wordlists/rockyou.txt`
[...]
The following 11 hash-modes match the structure of your input hash:
# | Name | Category
======+=====================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
Let us try NTLM, shall we?
hashcat --hash-type=1000 --attack-mode=0 ./hash7.txt /usr/share/wordlists/rockyou.txt
Result
[...] Dictionary cache hit: * Filename..: ./rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 1dfeca0c002ae40b8619ecf94819cc1b:********* <<<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Mode........: 1000 (NTLM) Hash.Target......: 1dfeca0c002ae40b8619ecf94819cc1b [...]
Task 2.3
>> $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.
- Salt given:
aReallyHardSalt
Note: the salt is already in the hash, so we don't need another syntax.
echo '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. > hash8.txt'
Identifying the algo was a little bit more difficult again. Tools let me down so I used the example list on their Wiki again:
1800 sha512crypt $6$, SHA512 (Unix) 2 $6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/
2000 STDOUT n/a
Run hashcat - this will take a while...
hashcat --hash-type=1800 --attack-mode=0 ./hash8.txt /usr/share/wordlists/rockyou.txt
Success!
Task 2.4
>> e5d8870e5bdd26602cab8dbe07a942c8669e56d6
- Salt given:
tryhackme
Could be SHA-1 with salt. Not sure about the syntax, but hashcat will let us know.
Let's begin with the first hit:
kuser@pleasejustwork:/etc/X11$ hashcat --help | grep -i sha1 [...] 110 | sha1($pass.$salt) | Raw Hash salted and/or iterated [...]
The required syntax of the hashfile is hash:salt:
echo 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' > hash9.txt
I can tell you, it was not 110 and I worked my way through up to 160 which worked out!
hashcat --hash-type=160 --attack-mode=0 ./hash9.txt /usr/share/wordlists/rockyou.txt
Result
Dictionary cache hit: * Filename..: ./rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme:******* <<<< RESULT Session..........: hashcat Status...........: Cracked Hash.Mode........: 160 (HMAC-SHA1 (key = $salt)) Hash.Target......: e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
Conclusion
I was a little bit lost at some point. Various onlinetools had been unreliable and a simple list of examples saved the day multiple times.
Btw, I've just noticed the HINTS that THM provides. Well, would have saved some time, but learned a lot through the hard way.
E-Mail
hello@ittavern.com
- 04.02.2024 Adding a trash can to Linux with trash-cli
- 20.01.2024 Bandwidth Measurement using netcat on Linux
- 14.01.2024 Getting started with rsync - Comprehensive Guide
- 10.01.2024 Cron Jobs on Linux - Comprehensive Guide with Examples
- 22.11.2023 SSH Server Hardening Guide v2