Show pageBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== NCL CTF 2019 ====== ===== Password Cracking ===== MD5 Cracker: https://hashkiller.co.uk/Cracker/MD5 ==== Cracking 1 (Easy) ==== 370ae13d83b66540d11d65c3dc68a41a f5bbd9eba486180d2a9a1fcbf4a45273 c3c278798ed3222ccbe11351cfb40abd Use any MD5 cracker: ( https://passwordrecovery.io/md5/ ) results: 370ae13d83b66540d11d65c3dc68a41a MD5 spring33 f5bbd9eba486180d2a9a1fcbf4a45273 MD5 flower214 c3c278798ed3222ccbe11351cfb40abd MD5 rain0219 ==== Cracking 2 (Easy) ==== BA8BAA809D150892C4561E03C3DED99F:6738F7CCD29AD357FA82412F2F1D05EC 02B477E1E52134FA187C52153D174D85:93B5A32BBBC8303CBD9BDF607623AD5E 318864680C885669BE186A0108334D79:DB3DF0D89C0DE22372A190AF5D666F53 Steps: 1. Download xp_free_fast, xp_free_small, xp_special from < http://ophcrack.sourceforge.net/tables.php > 2. Ophcrack - install tables - load hashes 3. Crack Results - hz8cegtq5u - 9jp2n3c7xg - typ9w8462d ==== Cracking 3 (Medium) ==== Our officers have obtained password dumps of default passwords. We know the password scheme is a color plus a city plus two digits. See if you can crack them. Steps: 1. Build the lists - colors.txt - cities.txt $ wget http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2 - numbers.txt - contains 00 - 99 2. combine using combinator $ /usr/share/hashcat-utils/combinator.bin colors.txt cities.txt > combined.txt $ /usr/share/hashcat-utils/combinator.bin combined.txt numbers.txt > combined2.txt 3. crack hash1.txt: cffdc0e71ed6afe0bfeb6e7da85d7fe6 hash2.txt: a58f5353a55c86efc3d2219bdd3663a4 hash3.txt: e1cd789c41d42b063121af3eeca169bc # use force if you're using a VM on an Intel computer (aka no emulated GPU) $ hashcat -a 0 -m 0 hash1.txt combined2.dict --force # Dictionary cache built: # * Filename..: combined2.dict # * Passwords.: 24692500 # * Bytes.....: 415016000 # * Keyspace..: 24692500 # * Runtime...: 5 secs # cffdc0e71ed6afe0bfeb6e7da85d7fe6:orangeDenver00 # Session..........: hashcat # Status...........: Cracked # Hash.Type........: MD5 # Hash.Target......: cffdc0e71ed6afe0bfeb6e7da85d7fe6 # Time.Started.....: Fri Apr 26 16:32:33 2019 (8 secs) # Time.Estimated...: Fri Apr 26 16:32:41 2019 (0 secs) # Guess.Base.......: File (combined2.dict) # Guess.Queue......: 1/1 (100.00%) # Speed.Dev.#1.....: 1274.2 kH/s (0.86ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts # Progress.........: 8693760/24692500 (35.21%) # Rejected.........: 0/8693760 (0.00%) # Restore.Point....: 8691712/24692500 (35.20%) # Candidates.#1....: orangeDennard12 -> orangeDerby Center59 # HWMon.Dev.#1.....: N/A # Started: Fri Apr 26 16:32:13 2019 # Stopped: Fri Apr 26 16:32:42 2019 $ hashcat -a 0 -m 0 hash2.txt combined2.dict --force # * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll' # Dictionary cache hit: # * Filename..: combined2.dict # * Passwords.: 24692500 # * Bytes.....: 415016000 # * Keyspace..: 24692500 # a58f5353a55c86efc3d2219bdd3663a4:greenTucson08 # Session..........: hashcat # Status...........: Cracked # Hash.Type........: MD5 # Hash.Target......: a58f5353a55c86efc3d2219bdd3663a4 # Time.Started.....: Fri Apr 26 16:34:35 2019 (5 secs) # Time.Estimated...: Fri Apr 26 16:34:40 2019 (0 secs) # Guess.Base.......: File (combined2.dict) # Guess.Queue......: 1/1 (100.00%) # Speed.Dev.#1.....: 1166.2 kH/s (0.82ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts # Progress.........: 5980160/24692500 (24.22%) # Rejected.........: 0/5980160 (0.00%) # Restore.Point....: 5978112/24692500 (24.21%) # Candidates.#1....: greenTrumbull12 -> greenTulalip59 # HWMon.Dev.#1.....: N/A # Started: Fri Apr 26 16:34:34 2019 # Stopped: Fri Apr 26 16:34:42 2019 $ hashcat -a 0 -m 0 hash3.txt combined2.dict --force # Session..........: hashcat # Status...........: Running # Hash.Type........: MD5 # Hash.Target......: e1cd789c41d42b063121af3eeca169bc # Time.Started.....: Fri Apr 26 16:36:09 2019 (5 secs) # Time.Estimated...: Fri Apr 26 16:36:30 2019 (16 secs) # Guess.Base.......: File (combined2.dict) # Guess.Queue......: 1/1 (100.00%) # Speed.Dev.#1.....: 1111.5 kH/s (1.47ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 # Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts # Progress.........: 5855232/24692500 (23.71%) # Rejected.........: 0/5855232 (0.00%) # Restore.Point....: 5855232/24692500 (23.71%) # Candidates.#1....: greenSpearfish32 -> greenSpillville79 # HWMon.Dev.#1.....: N/A // # e1cd789c41d42b063121af3eeca169bc:orangeBaltimore44 // # Session..........: hashcat # Status...........: Cracked # Hash.Type........: MD5 # Hash.Target......: e1cd789c41d42b063121af3eeca169bc # Time.Started.....: Fri Apr 26 16:36:09 2019 (8 secs) # Time.Estimated...: Fri Apr 26 16:36:17 2019 (0 secs) # Guess.Base.......: File (combined2.dict) # Guess.Queue......: 1/1 (100.00%) # Speed.Dev.#1.....: 1072.2 kH/s (0.82ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts # Progress.........: 8321024/24692500 (33.70%) # Rejected.........: 0/8321024 (0.00%) # Restore.Point....: 8318976/24692500 (33.69%) # Candidates.#1....: orangeBallenger Creek76 -> orangeBandera Falls23 # HWMon.Dev.#1.....: N/A // # Started: Fri Apr 26 16:36:08 2019 # Stopped: Fri Apr 26 16:36:17 2019 ==== Cracking 4 (Hard) ==== $1$mrl$nycc.yKRXbu1pxqh//Ys/. $1$skc$iZAkk/D5eNGtx..sXwdKW1 $1$xur$rMK48WxT97zXZq5pdANr10 Steps: 1. Identify the hash on < https://hashcat.net/wiki/doku.php?id=example_hashes > 2. hashcat $ hashcat -a 0 -m 500 --session s1 hash1.txt /usr/share/wordlists/rockyou.txt --force $1$mrl$nycc.yKRXbu1pxqh//Ys/.:gumdrop94 Session..........: s1 Status...........: Cracked Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) Hash.Target......: $1$mrl$nycc.yKRXbu1pxqh//Ys/. Time.Started.....: Fri Apr 26 19:37:01 2019 (49 mins, 59 secs) Time.Estimated...: Fri Apr 26 20:27:00 2019 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 2612 H/s (3.88ms) @ Accel:128 Loops:62 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 7753216/14344385 (54.05%) Rejected.........: 0/7753216 (0.00%) Restore.Point....: 7752960/14344385 (54.05%) Candidates.#1....: gumisgood -> gumby821 HWMon.Dev.#1.....: N/A Started: Fri Apr 26 19:37:00 2019 Stopped: Fri Apr 26 20:27:01 2019 $ hashcat -a 0 -m 500 --session s1 hash3.txt /usr/share/wordlists/rockyou.txt --force $1$xur$rMK48WxT97zXZq5pdANr10:colin74 Session..........: hashcat Status...........: Cracked Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) Hash.Target......: $1$xur$rMK48WxT97zXZq5pdANr10 Time.Started.....: Fri Apr 26 17:54:13 2019 (1 hour, 39 mins) Time.Estimated...: Fri Apr 26 19:33:38 2019 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 2761 H/s (4.94ms) @ Accel:128 Loops:62 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 9000192/14344385 (62.74%) Rejected.........: 0/9000192 (0.00%) Restore.Point....: 8999936/14344385 (62.74%) Candidates.#1....: colincraig -> colin1969 HWMon.Dev.#1.....: N/A Started: Fri Apr 26 17:54:13 2019 Stopped: Fri Apr 26 19:33:39 2019 # restore session # $ hashcat --session s1 --restore ===== Scanning & Recon ===== ==== Git Gud ==== flag1: $ cat flag1.txt # SKY-OLEI-2339 flag2: $ git checkout flags $ cat flag2.txt # SKY-NSUN-4035 flag3: $ git log # Flag3: SKY-JGJQ-6095 flag4: $ git checkout 6a03109e051aba3650111c3ca357401c84f59a44 $ cat flag4.txt # SKY-FIQJ-1750 flag5: $ git fsck --lost-found dangling blob 48ee97991808f4738bdee89129a2060e014d97ce dangling commit b40a03fe4735530d1c7e7e444e3ec6fc057e008b dangling commit fb48bfb0932356f4f6655387634539bed5fd2e61 dangling commit bf42e1edcb2e9ddec0b78f77fb35c5641b47b61d $ git show 48ee97991808f4738bdee89129a2060e014d97ce # SKY-VWZT-7343 ==== Tom's Blog ==== < https://whatcms.org/?s=tomsblog.cityinthe.cloud > cms: WordPress version: 5.1.1 http: Apache/2.4.29 theme: blogfeedly $ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud $ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud -e -u [+] tom | Detected By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - https://tomsblog.cityinthe.cloud/wp-json/wp/v2/users/ | Rss Generator (Aggressive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] julie | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] tess | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] henry | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] nat | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] mike | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] backup | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) [+] dawson | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) $ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud -e ap $ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud --plugins-detection aggressive $ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud --users-detection aggressive cybersec/ctf.txt Last modified: 2023/07/02 16:46by hli