TryHackMe: Crack The Hash Level 2 writeup/walkthrough

Writeup/Tutorial for the room ‘Crack The Hash Level 2’ on TryHackMe

Phantom_95
11 min readJan 26, 2021

Room Link | Medium difficulty

As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer.

Table of content

Task 2: Hash identification

My system did not have gem package installed so I had to install that first. For that I did:

sudo apt-get install rubygems

After this, I was able to install haiti using gem:

gem install haiti-hash

#1. 741ebf5166b9ece4cca88a3868c44871e8370707cf19af3ceaa4a6fba006f224ae03f39153492853

What kind of hash is this?

haiti 741ebf5166b9ece4cca88a3868c44871e8370707cf19af3ceaa4a6fba006f224ae03f39153492853

#2. Launch Haiti on this hash:

1aec7a56aa08b25b596057e1ccbcb6d768b770eaa0f355ccbd56aee5040e02ee

haiti 1aec7a56aa08b25b596057e1ccbcb6d768b770eaa0f355ccbd56aee5040e02ee

#3. What is Keccak-256 Hashcat code?

#4. What is Keccak-256 John the Ripper code?

The answer will be there in the output after JtR:

Task 3: Wordlists

To use wordlistctl on Kali Linux, I had to clone the Github repo instead of installing it like you would on Arch Linux.

git clone https://github.com/BlackArch/wordlistctl.gitpython3 wordlistctl/wordlistctl.py -h

#1. Which option do you need to add to the previous command to search into local archives instead of remote ones?

I outputted the content of the python script and search for local using grep. That should show us what option is required.

cat wordlistctl.py | grep local

#2. Now search again for rockyou on your local archive with wordlistctl search -l rockyou

You should see that the wordlist is deployed at /usr/share/wordlists/passwords/rockyou.txt.tar.gz

But the wordlist is compressed in a tar.gz archive, to decompress it run wordlistctl fetch -l rockyou -d.
If you run wordlistctl search -l rockyou one more time, what is the path where is stored the wordlist?

python3 wordlistctl.py search -l rockyoupython3 wordlistctl.py fetch -l rockyou -dpython3 wordlistctl.py search -l rockyou

#3. You can search for a wordlist about a specific subject (eg. facebook) wordlistctl search facebook or list all wordlists from a category (eg. fuzzing) wordlistctl list -g fuzzing.

What is the name of the first wordlist in the usernames category?

python3 wordlistctl.py list -g usernames

Task 4: Cracking tools, modes & rules

#1. Now let’s crack the SHA1 hash 2d5c517a4f7a14dcb38329d228a7d18a3b78ce83, we just have to write the hash in a text file and to specify the hash type, the wordlist and our rule name. john hash.txt --format=raw-sha1 --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt --rules=THM01

What was the password?

sudo python3 ~/Desktop/wordlistctl/wordlistctl.py fetch -l 10k_most_common -dsudo python3 ~/Desktop/wordlistctl/wordlistctl.py search -l 10k_most_commonecho '2d5c517a4f7a14dcb38329d228a7d18a3b78ce83' > hash.txtjohn hash.txt --format=raw-sha1 --wordlist=/usr/share/wordlists/misc/10k_most_common.txt --rules=THM01john hash.txt --show

Task 5: Custom wordlist generation

#1. Crack the following md5 hash with the wordlist generated in the previous steps.

ed91365105bba79fdab20c376d83d752

Click the plus next to base words to add a custom wordlist and select dogs.txt. If it already has a default wordlist, then click on the — icon near it. Click on the + near Process to add different rules so first add Case and then add Substitution. Then click on the + near Case and click on Toggle Nth and change the value to 2. Then click the + on Substitution and click on Replace All Instances and select s -> $. Click on process and select the place you want to save the file. I saved my file as dogs2.txt

I wasn’t able to get John to crack the hash but I was able to use hashcat. MD5 hashes in hashcat use -m 0 option so that’s what I used below.

hashcat -m 0 hash.txt dogs2.txt

#2. For example to download all words from example.org with a depth of 2, run:
cewl -d 2 -w $(pwd)/example.txt https://example.org
The depth is the number of link level the spider will follow.

What is the last word of the list?

cewl -d 2 -w $(pwd)/example.txt https://example.orgtail example.txt

#3. Crack this md5 hash with combination.txt.

e5b47b7e8df2597077e703c76ee86aee

First let’s install pip if you don’t have it because we need it to install ttpassgen.

sudo apt install python3-pippip install ttpassgenttpassgen --rule '[?d]{4:4:*}' pin.txtttpassgen --rule '[?l]{1:3:*}' abc.txtttpassgen --dictlist 'pin.txt,abc.txt' --rule '$0[-]{1}$1' combination.txt

Once the combination.txt file is ready, we can use hashcat with -m 0 as it’s an md5 hash.

echo 'e5b47b7e8df2597077e703c76ee86aee' > hash.txthashcat -m 0 hash.txt combination.txt

Task 6: it’s time to crack hashes

#1. Advice n°1 b16f211a8ad7f97778e5006c7cecdf31

Hint: English male name, MD5, Border mutation, custom rule

echo 'b16f211a8ad7f97778e5006c7cecdf31' > hash.txtpython3 ~/Desktop/wordlistctl/wordlistctl.py fetch -l top_1000_usa_malenames_english -dpython3 ~/Desktop/wordlistctl/wordlistctl.py search -l top_1000_usa_malenames_english# I copied the wordlist into my current directory where I was working from
cp
<path output from command above> .

The question mentions it uses border mutation where we add combination of digits and/or special characters to both or one of the ends of the word. If we do it by creating wordlists, it will take too much time and storage. To go around this, we can use mangling rules as the room teaches in one of the previous tasks. For this task we only need the 5 Digits+Special Character Combination eg: xxxxxname, xxxxnamex, xxxnamexx, xxnamexxx, xnamexxxx, namexxxxx where x is either a special character or digit.

# Adding rule in john.conf
locate john.conf
sudo nano /etc/john/john.conf
# Add the following line after one of the prewritten rules.
# To find a pre-written rule, just use CTRL+W to find in nano and type List.Rules and press enter. Add a new line after the : and then add the following rule:
# I have replaced the rule with this file upload as someone else had an issue directly copying the rule from here so I sent them the same file I have uploaded on the link below and it worked.
http://s000.tinyupload.com/index.php?file_id=07601583944998921775

The CTH01 is the name of the rule you will call it with, the letter ‘c’ only keeps the first letter capitalised, ‘Az’ means to append and ‘A0’ means to prepend to following. So for this answer the combination was namexxxxx and hence the rule above. [0–9!@\#\$%^&()_+\-={}|\[\]\\;’:,/\<\>?`~*] contains all the special characters and digits from 0–9 and it is repeated 5 times. Credit to Tsoumpaklas for providing me with this rule.

john hash.txt --format=raw-md5 --wordlist=./top_1000_usa_malenames_english.txt --rules=CTH01

It took me around 2 minutes 22 seconds to crack it using an i7 8750H 6 core CPU.

#2. Advice n°2 7463fcb720de92803d179e7f83070f97

Hint: English female name, MD5, Border mutation, custom rule

echo ‘7463fcb720de92803d179e7f83070f97’ > hash.txtsudo python3 wordlistctl.py search female
sudo python3 wordlistctl.py fetch -l femalenames-usa-top1000.txt -d
sudo python3 wordlistctl.py search -l femalenames-usa-top1000.txt
# It should now show a path to the directory so copy that path and paste it into your current directory as shown below:cp /usr/share/wordlists/usernames/femalenames-usa-top1000.txt .
# Following from the previous question, open the john.conf file and replace the line starting with cAz… with the following:http://s000.tinyupload.com/index.php?file_id=45684960321058540739(Don't replace [List.Rules:CTH01], replace the rule below it)

This time I sorted the names from longest to shortest so I can avoid the really short length names as I didn’t think they would be used here so I could save some time.

# Sorting the female names dictionary from longest to shortest (Credit)cat femalenames-usa-top1000.txt | awk ‘{ print length($0) “ “ $0; }’ $file | sort -r -n | cut -d ‘ ‘ -f 2- > top_1000_female_sorted.txtjohn hash.txt --format=raw-md5 --wordlist=./top_1000_female_sorted.txt --rules=CTH01

#3. Advice n°3 f4476669333651be5b37ec6d81ef526f

Hint: Town name of Mexico, MD5, Freak mutation, mentalist tool

sudo python3 wordlistctl.py search cities
sudo python3 wordlistctl.py fetch -l cities -d
sudo python3 wordlistctl.py search -l cities
# It should now show a path to the directory so copy that path and paste it into your current directory as shown below:cp /usr/share/wordlists/misc/cities.txt .echo ‘f4476669333651be5b37ec6d81ef526f’ > hash.txt
# Using this tool I got from 0xsanz (Go follow him here, 0xsanz was very helpful), we can remove spaces from the list.python3 removespaces.py
<The took should create a file in the current directory named cities_spaces_removed.txt>
# You can also use tr to remove the empty spaces(Credit: 3N16M4).

tr -d "[:blank:]"

After removing the white space, we need to make sure all letters are lowercase and to do that, we can use mentalist.

tr [:upper:] [:lower:]# You can change all letters to lowercase using the command above (Credit: 3N16M4) but for those that want to use mentalist to get a hang of it, I've added the steps:# Open mentalist using:
sudo mentalist
# Remove the English Dictionary from base words and add the cities_spaces_removed.txt list and add Case with Lowercase All.
# We will use the default l33t rule which will try different combination of letter replacements eg: Mexico -> M3x1c0 or M3x1co and so on.
# Save that list and use it with john to crack the hash
john hash.txt --format=raw-md5 --wordlist=cities_spaces_removed_lowercase.txt --rules=l33t

Cracked in around a second for me!

#4.Advice n°4 a3a321e1c246c773177363200a6c0466a5030afc

Hint: User’s own name, SHA1, case mutation with existing rule

echo ‘a3a321e1c246c773177363200a6c0466a5030afc’ > hash.txt# The name of the format for SHA1 can be found using this command:
john --list=formats | grep SHA

The user’s full name is spelled with 14 characters (excluding the space) and I counted the asterisk on THM and they totaled to 14 chars.

The password is Case mutated where we toggle the lowercase and uppercase for different chars and we can use a default rule for this. The default rule to use here is NT (Credit).

echo ‘davidguettapan’ > name.txtjohn hash.txt --format=Raw-SHA1 --wordlist=name.txt --rules=NT

It took me less than a second to crack it!

#5. Advice n°5 d5e085772469d544a447bc8250890949

Hint: Lyrics, MD5, Order mutation, lyricpass

echo ‘d5e085772469d544a447bc8250890949’ > hash.txtgit clone https://github.com/initstring/lyricpass.gitsudo python3 lyricpass/lyricpass.py -a “Adele”
# The above command can take some time so take a break maybe
# I changed file names using mv
mv <original_filename> wordlist
mv <original_filename> raw-lyrics

As listed here, we can make use of the hashcat rule for reversing characters ‘r’.

# Create a rule using mask processor which is usually bundled with hashcat:
mp64 -o reverse.rule ‘r’
If you don't have mp64 (mask processor), you can make the rule without it:
echo ‘r’ > reverse.rule
hashcat -m 0 hash.txt raw-lyrics -r reverse.rule

#6. Advice n°6 377081d69d23759c5946a95d1b757adc

Hint: Phone number, MD5, No mutation, pnwgen

echo ‘377081d69d23759c5946a95d1b757adc’ > hash.txt

Searching for Sint Maarten phone number online reveals +1 721 and counting the asterisks in TryHackMe answer box gives us 12 characters.

+1 721–555–1212 -> +17215551212 (12 chars)
We know that it will always start with +1721 (first 5 chars) so we only need to brute-force the last 7 chars.
Eg: +1721xxxxxxx

echo ‘+1721’ > start.txt
ttpassgen --rule ‘[?d]{7:7:*}’ end.txt
ttpassgen --dictlist ‘start.txt,end.txt’ --rule ‘$0$1’ combination.txt
# I know that the question hints towards using pnwgen, but I felt comfortable using ttpassgen even though I got it wrong a few times in the start.
hashcat -m 0 hash.txt combination.txt
OR
john hash.txt --format=raw-md5 --wordlist=combination.txt

#7. Advice n°7 ba6e8f9cd4140ac8b8d2bf96c9acd2fb58c0827d556b78e331d1113fcbfe425ca9299fe917f6015978f7e1644382d1ea45fd581aed6298acde2fa01e7d83cdbd

Hint: Rockyou, SHA3–512, No mutation

echo ‘ba6e8f9cd4140ac8b8d2bf96c9acd2fb58c0827d556b78e331d1113fcbfe425ca9299fe917f6015978f7e1644382d1ea45fd581aed6298acde2fa01e7d83cdbd’ > hash.txthashcat --help | grep SHA3–512
# This reveals hashcat mode for SHA3–512 so we can use that to crack this hash.
locate rockyou.txtcp <location output from above command> ./
hashcat -m 17600 hash.txt rockyou.txt

#8. Advice n°8 9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617

Hint: Web scrapping, blake2, Repetition, CeWL

I was getting an error when I tried cracking the hashing but it turns out I wrote it in the wrong format. Following on from previous link, we find that the correct format for the BLAKE2 hash is to add $BLAKE2$ at the start of the hash.

echo ‘$BLAKE2$9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617’ > hash.txt# We can find the mode to use for hashcat to crack BLAKE2 hash using: 
hashcat --help | grep BLAKE2
# We need to make a wordlist using cewl:
cewl http://<CTH2RoomMachineIP>/rtfm.re/en/sponsors/index.html -w wordlist
# Now we need to make rules in hashcat to repeat the words as the advice mentioned that they would repeat words (Credit 1, Credit 2):mp64 -o 2duplicate.rule ‘d’
mp64 -o 3duplicate.rule ‘dd’
mp64 -o 4duplicate.rule ‘ddd’
mp64 -o 5duplicate.rule ‘dddd’

Note: I might have done the duplicate rules incorrectly because when looking at the candidate values using 5duplicate.rule, it was showing 16 repetitions of the word , 8 repetitions for 4duplicate.rule, 4 repetitions for 3duplicate.rule. Maybe instead of appending, it multiplies it by 2 and that’s why ‘d’ means repeating twice, ‘dd’ means repeating 2x2=4 times, ‘ddd’ means repeating 2x2x2=8 times, ‘dddd’ means repeating 2x2x2x2=16 times. I’m not sure how we would go about repeating words 3,5,7,9 times and so on.

I started from 5duplicate.rule and kept on going down but after trying the 3duplicate.rule which had the word being repeated 4 times, it worked for me.

hashcat -m 600 hash.txt wordlist.txt -r 3duplicate.rule

#9. Advice n°9 $6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/

Hint: Rockyou, SHA512-crypt, No mutation

echo ‘$6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/’ > hash.txt#I pasted the hash on this website to identify and found that it is a sha512crypt and used that to find the hashcat mode.hashcat --help | grep sha512cryptlocate rockyou.txt
cp
<path from above command> ./
hashcat -m 1800 hash.txt rockyou.txt

This took me a long time to work through as I was having issues with my VM initially so I had to reinstall Kali and some of the hashes themselves took some time so I would really appreciate if you could follow and click the clap button. Leave any responses if you have any questions.

That’s all for this room. Follow me for more write-ups!

--

--

Phantom_95
Phantom_95

Written by Phantom_95

I like all things IT but currently focused on being an IT Security Specialist.

No responses yet