URL: https://tryhackme.com/room/crackthehash [Easy]
Tags:
This is not a Capture The Flag. It’s a room that has several hashes to be cracked. Description of the room:
Cracking hashes challenges
One of the first things needed is to identify what potential hash algorithms are used, based on the format of the hash. Some ways to do that is check:
Also from the terminal, you can use hash-identifier. For example:
hash-identifier CBFDAC6008F9CAB4083784CBD1874F76618D2A97
Next, if these are hashes of known values with no salt applied, they might be easily crackable with rainbow tables. For some, you can use an online resource, or you can crack them locally.
For example, you might try the various hashes on a site like:
Below is a summary of the hashes and their algorithm.
| Hash | Algorithm |
|---|---|
48bb6e862e54f2a795ffc4e541caed4d |
md5 |
CBFDAC6008F9CAB4083784CBD1874F76618D2A97 |
SHA1 |
1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 |
SHA256 |
$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom |
Bcrypt-Blowfish |
279412f945939ba78ce0758d3fd83daa |
md4 |
Another way to attempt to crack these hashes is with hashcat. You could put your hashes into a file called hashes_l1.txt for example, and then run something like this:
hashcat -m 0 hashes_l1.txt /usr/share/wordlists/rockyou.txt
Note that the -m 0 is the hash “code” from the HashCat website: https://hashcat.net/wiki/doku.php?id=example_hashes - So 0 is the code for MD5 for example.
Of the hashes above the one that starts with $2y$12$... is an unusual one. From the THM hint, we see:
Search the hashcat examples page (https://hashcat.net/wiki/doku.php?id=example_hashes) for $2y$. This type of hash can take a very long time to crack, so either filter rockyou for four character words, or use a mask for four lower case alphabetical characters.
When I tried to run hashcat against on my laptop (Intel i7 7th Gen, no GPU), it says it will take 11+ days to complete!
Time.Estimated...: Mon Feb 21 14:23:25 2022 (11 days, 18 hours)
So, per the hint, let’s pull just the first 4 letters from RockYou and create a new wordlist:
cut -c-4 /usr/share/wordlists/rockyou.txt > ./rock4.txt
But then, this is going to have some duplicates and trash. We can at least get rid of the duplicates by calling sort and having it just include the unique (-u) lines, and the hint told us it’s all lower case. So, we can convert everything to lowercase, then just pull out the unique values:
tr A-Z a-z < ./rock4.txt | sort -u > rock4.sorted.txt
The tr replaces uppercase for lowercase from the shortened rock4.txt, then pipes that to sort which will pull out the unique values, and output itself to rock4.sorted.txt.
This dramatically reduces the size of our wordlist:
| File | Size |
|---|---|
rockyou.txt |
139,921,507 bytes |
rock4.txt |
71,718,690 bytes |
rock4.sorted.txt |
3,770,791 bytes |
So we went from 139MB, to 71MB, to 3MB. However, when we re-run hashcat:
hashcat -m 3200 hashes.txt rock4.sorted.txt
On my non-GPU laptop, that improved the time, but not to a reasonable level:
Time.Estimated...: Thu Feb 10 12:39:59 2022 (14 hours, 55 mins)
My guess is this would run dramatically faster on a desktop machine with a GPU.
Below are the algorithms used for each hash. Note that these can’t be broken online, you’ll need to use hashcat for these.
| Hash | Algorithm |
|---|---|
F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 |
SHA2-256 |
1DFECA0C002AE40B8619ECF94819CC1B |
NTLM |
$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. |
sha512crypt $6$, SHA512 (Unix) |
e5d8870e5bdd26602cab8dbe07a942c8669e56d6 |
HMAC-SHA1 |
NOTE:
For the last one on Level 2,
hashcatexpects the hash to behash:salttype format.
Completed: [2022-02-09 22:27:21]