cybersec:ctf

NCL CTF 2019

Password Cracking

MD5 Cracker: https://hashkiller.co.uk/Cracker/MD5

Cracking 1 (Easy)

370ae13d83b66540d11d65c3dc68a41a
f5bbd9eba486180d2a9a1fcbf4a45273
c3c278798ed3222ccbe11351cfb40abd
Use any MD5 cracker: ( https://passwordrecovery.io/md5/ )
results:
370ae13d83b66540d11d65c3dc68a41a MD5 spring33
f5bbd9eba486180d2a9a1fcbf4a45273 MD5 flower214
c3c278798ed3222ccbe11351cfb40abd MD5 rain0219

Cracking 2 (Easy)

BA8BAA809D150892C4561E03C3DED99F:6738F7CCD29AD357FA82412F2F1D05EC
02B477E1E52134FA187C52153D174D85:93B5A32BBBC8303CBD9BDF607623AD5E
318864680C885669BE186A0108334D79:DB3DF0D89C0DE22372A190AF5D666F53

Steps: 

1. Download xp_free_fast, xp_free_small, xp_special from < http://ophcrack.sourceforge.net/tables.php >
2. Ophcrack
  - install tables
  - load hashes
3. Crack Results
  - hz8cegtq5u
  - 9jp2n3c7xg
  - typ9w8462d

Cracking 3 (Medium)

Our officers have obtained password dumps of default passwords. We know the password scheme is a color plus a city plus two digits. See if you can crack them.

Steps: 

1. Build the lists
  - colors.txt
  - cities.txt
    $ wget http://downloads.skullsecurity.org/passwords/us_cities.txt.bz2
  - numbers.txt
    - contains 00 - 99
2. combine using combinator
  $ /usr/share/hashcat-utils/combinator.bin colors.txt cities.txt > combined.txt
  $ /usr/share/hashcat-utils/combinator.bin combined.txt numbers.txt > combined2.txt
3. crack
  hash1.txt: cffdc0e71ed6afe0bfeb6e7da85d7fe6
  hash2.txt: a58f5353a55c86efc3d2219bdd3663a4
  hash3.txt: e1cd789c41d42b063121af3eeca169bc
  # use force if you're using a VM on an Intel computer (aka no emulated GPU)
  $ hashcat -a 0 -m 0 hash1.txt combined2.dict --force
    #   Dictionary cache built:
    # * Filename..: combined2.dict
    # * Passwords.: 24692500
    # * Bytes.....: 415016000
    # * Keyspace..: 24692500
    # * Runtime...: 5 secs
    # cffdc0e71ed6afe0bfeb6e7da85d7fe6:orangeDenver00
    # Session..........: hashcat
    # Status...........: Cracked
    # Hash.Type........: MD5
    # Hash.Target......: cffdc0e71ed6afe0bfeb6e7da85d7fe6
    # Time.Started.....: Fri Apr 26 16:32:33 2019 (8 secs)
    # Time.Estimated...: Fri Apr 26 16:32:41 2019 (0 secs)
    # Guess.Base.......: File (combined2.dict)
    # Guess.Queue......: 1/1 (100.00%)
    # Speed.Dev.#1.....:  1274.2 kH/s (0.86ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
    # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    # Progress.........: 8693760/24692500 (35.21%)
    # Rejected.........: 0/8693760 (0.00%)
    # Restore.Point....: 8691712/24692500 (35.20%)
    # Candidates.#1....: orangeDennard12 -> orangeDerby Center59
    # HWMon.Dev.#1.....: N/A
    # Started: Fri Apr 26 16:32:13 2019
    # Stopped: Fri Apr 26 16:32:42 2019
  $ hashcat -a 0 -m 0 hash2.txt combined2.dict --force
    # * Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=0 -D _unroll'
    # Dictionary cache hit:
    # * Filename..: combined2.dict
    # * Passwords.: 24692500
    # * Bytes.....: 415016000
    # * Keyspace..: 24692500
    # a58f5353a55c86efc3d2219bdd3663a4:greenTucson08
    # Session..........: hashcat
    # Status...........: Cracked
    # Hash.Type........: MD5
    # Hash.Target......: a58f5353a55c86efc3d2219bdd3663a4
    # Time.Started.....: Fri Apr 26 16:34:35 2019 (5 secs)
    # Time.Estimated...: Fri Apr 26 16:34:40 2019 (0 secs)
    # Guess.Base.......: File (combined2.dict)
    # Guess.Queue......: 1/1 (100.00%)
    # Speed.Dev.#1.....:  1166.2 kH/s (0.82ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
    # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    # Progress.........: 5980160/24692500 (24.22%)
    # Rejected.........: 0/5980160 (0.00%)
    # Restore.Point....: 5978112/24692500 (24.21%)
    # Candidates.#1....: greenTrumbull12 -> greenTulalip59
    # HWMon.Dev.#1.....: N/A
    # Started: Fri Apr 26 16:34:34 2019
    # Stopped: Fri Apr 26 16:34:42 2019
  $ hashcat -a 0 -m 0 hash3.txt combined2.dict --force
    # Session..........: hashcat
    # Status...........: Running
    # Hash.Type........: MD5
    # Hash.Target......: e1cd789c41d42b063121af3eeca169bc
    # Time.Started.....: Fri Apr 26 16:36:09 2019 (5 secs)
    # Time.Estimated...: Fri Apr 26 16:36:30 2019 (16 secs)
    # Guess.Base.......: File (combined2.dict)
    # Guess.Queue......: 1/1 (100.00%)
    # Speed.Dev.#1.....:  1111.5 kH/s (1.47ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
    # Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
    # Progress.........: 5855232/24692500 (23.71%)
    # Rejected.........: 0/5855232 (0.00%)
    # Restore.Point....: 5855232/24692500 (23.71%)
    # Candidates.#1....: greenSpearfish32 -> greenSpillville79
    # HWMon.Dev.#1.....: N/A
    //
    # e1cd789c41d42b063121af3eeca169bc:orangeBaltimore44
    //
    # Session..........: hashcat
    # Status...........: Cracked
    # Hash.Type........: MD5
    # Hash.Target......: e1cd789c41d42b063121af3eeca169bc
    # Time.Started.....: Fri Apr 26 16:36:09 2019 (8 secs)
    # Time.Estimated...: Fri Apr 26 16:36:17 2019 (0 secs)
    # Guess.Base.......: File (combined2.dict)
    # Guess.Queue......: 1/1 (100.00%)
    # Speed.Dev.#1.....:  1072.2 kH/s (0.82ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
    # Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    # Progress.........: 8321024/24692500 (33.70%)
    # Rejected.........: 0/8321024 (0.00%)
    # Restore.Point....: 8318976/24692500 (33.69%)
    # Candidates.#1....: orangeBallenger Creek76 -> orangeBandera Falls23
    # HWMon.Dev.#1.....: N/A
    //
    # Started: Fri Apr 26 16:36:08 2019
    # Stopped: Fri Apr 26 16:36:17 2019

Cracking 4 (Hard)

$1$mrl$nycc.yKRXbu1pxqh//Ys/.
$1$skc$iZAkk/D5eNGtx..sXwdKW1
$1$xur$rMK48WxT97zXZq5pdANr10

Steps: 

1. Identify the hash on < https://hashcat.net/wiki/doku.php?id=example_hashes >
2. hashcat
  $ hashcat -a 0 -m 500 --session s1 hash1.txt /usr/share/wordlists/rockyou.txt --force
    $1$mrl$nycc.yKRXbu1pxqh//Ys/.:gumdrop94
    Session..........: s1
    Status...........: Cracked
    Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
    Hash.Target......: $1$mrl$nycc.yKRXbu1pxqh//Ys/.
    Time.Started.....: Fri Apr 26 19:37:01 2019 (49 mins, 59 secs)
    Time.Estimated...: Fri Apr 26 20:27:00 2019 (0 secs)
    Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.Dev.#1.....:     2612 H/s (3.88ms) @ Accel:128 Loops:62 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    Progress.........: 7753216/14344385 (54.05%)
    Rejected.........: 0/7753216 (0.00%)
    Restore.Point....: 7752960/14344385 (54.05%)
    Candidates.#1....: gumisgood -> gumby821
    HWMon.Dev.#1.....: N/A
    Started: Fri Apr 26 19:37:00 2019
    Stopped: Fri Apr 26 20:27:01 2019
  $ hashcat -a 0 -m 500 --session s1 hash3.txt /usr/share/wordlists/rockyou.txt --force
    $1$xur$rMK48WxT97zXZq5pdANr10:colin74
    Session..........: hashcat
    Status...........: Cracked
    Hash.Type........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
    Hash.Target......: $1$xur$rMK48WxT97zXZq5pdANr10
    Time.Started.....: Fri Apr 26 17:54:13 2019 (1 hour, 39 mins)
    Time.Estimated...: Fri Apr 26 19:33:38 2019 (0 secs)
    Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.Dev.#1.....:     2761 H/s (4.94ms) @ Accel:128 Loops:62 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    Progress.........: 9000192/14344385 (62.74%)
    Rejected.........: 0/9000192 (0.00%)
    Restore.Point....: 8999936/14344385 (62.74%)
    Candidates.#1....: colincraig -> colin1969
    HWMon.Dev.#1.....: N/A
    Started: Fri Apr 26 17:54:13 2019
    Stopped: Fri Apr 26 19:33:39 2019
# restore session
# $ hashcat --session s1 --restore

Scanning & Recon

Git Gud

flag1: 

  $ cat flag1.txt
    # SKY-OLEI-2339

flag2: 

  $ git checkout flags
  $ cat flag2.txt
    # SKY-NSUN-4035

flag3: 

  $ git log
    # Flag3: SKY-JGJQ-6095

flag4: 

  $ git checkout 6a03109e051aba3650111c3ca357401c84f59a44
  $ cat flag4.txt
    # SKY-FIQJ-1750

flag5: 

  $ git fsck --lost-found
    dangling blob 48ee97991808f4738bdee89129a2060e014d97ce
    dangling commit b40a03fe4735530d1c7e7e444e3ec6fc057e008b
    dangling commit fb48bfb0932356f4f6655387634539bed5fd2e61
    dangling commit bf42e1edcb2e9ddec0b78f77fb35c5641b47b61d
  $ git show 48ee97991808f4738bdee89129a2060e014d97ce
    # SKY-VWZT-7343

Tom's Blog

< https://whatcms.org/?s=tomsblog.cityinthe.cloud >
  cms: WordPress
  version: 5.1.1
  http: Apache/2.4.29
  theme: blogfeedly
$ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud
$ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud -e -u
    [+] tom
     | Detected By: Author Posts - Author Pattern (Passive Detection)
     | Confirmed By:
     |  Rss Generator (Passive Detection)
     |  Wp Json Api (Aggressive Detection)
     |   - https://tomsblog.cityinthe.cloud/wp-json/wp/v2/users/
     |  Rss Generator (Aggressive Detection)
     |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] julie
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] tess
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] henry
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] nat
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] mike
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] backup
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
    [+] dawson
     | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
$ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud -e ap
$ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud --plugins-detection aggressive
$ wpscan --url https://whatcms.org/?s=tomsblog.cityinthe.cloud --users-detection aggressive
  • cybersec/ctf.txt
  • Last modified: 2023/07/02 16:46
  • by hli