narancs's blog

TryHackMe – Crack the hash walkthrough


TryHackme Crack the hash room logo

In this post I am showing how I solved the Crack the hash room on TryHackMe. Our task is to crack the 9 given hashes. The hashes are of different types, e.g. MD5, SHA1, bcrypt and there are 2 salted hashes as well.

Level 1

To identify the type of hashes, I used hashid and hash-identifier tools on Kali Linux. The -m flag for hashid shows the corresponding Hashcat mode as well in the output. Then, I used hashcat to crack the hashes using rockyou.txt wordlist.


This is an MD5 hash. The hash mode for MD5 in hashcat is 0.

					hashcat -a 0 -m 0 '48bb6e862e54f2a795ffc4e541caed4d' /usr/share/wordlists/rockyou.txt


This is a SHA-1 hash. The hash mode for raw SHA-1 hash is 100.

					hashcat -a 0 -m 100 'CBFDAC6008F9CAB4083784CBD1874F76618D2A97' /usr/share/wordlists/rockyou.txt


This was identified as a SHA-256 hash. The corresponding hash mode for hashcat is 1400.

					hashcat -a 0 -m 1400 '1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032' /usr/share/wordlists/rockyou.txt


The hash-identifier tool was not able to identify the hash type. The hashid tool returned 3 results:

  • Blowfish(OpenBSD) [Hashcat Mode: 3200]
  • Woltlab Burning Board 4.x
  • bcrypt [Hashcat Mode: 3200]

The mode 3200 worked fine. However, this type of hash takes longer to crack. Since we can see that the answer is 4 characters long, we can grep for lines in rockyou.txt that are 4 characters long and use the result as wordlist.

					grep '^....$' /usr/share/wordlists/rockyou.txt > rockyou-4.txt
hashcat -a 0 -m 3200 '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' rockyou-4.txt


The tools showed that this hash is most likely an MD5 or MD4 hash. However, I was not able to crack it. The task hint also shows us that it is MD4 hash. So hashcat failed to crack the password because it was not in the rockyou wordlist. Then, I tried using other wordlists as well with no luck.

Brute-forcing the password would have taken too long, as it is 10 characters long. Finally, I tried and it was able to find the password.

Level 2

Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

This is also a SHA2-256 hash like the 3rd hash from Level 1.

					hashcat -a 0 -m 1400 'F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85' /usr/share/wordlists/rockyou.txt

Hash: 1DFECA0C002AE40B8619ECF94819CC1B

This is an NTLM hash. The corresponding hashcat mode is 1000.

					hashcat -a 0 -m 1000 '1DFECA0C002AE40B8619ECF94819CC1B' /usr/share/wordlists/rockyou.txt

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

This was identified as a SHA-512 Crypt hash. Hashcat mode is 1800.

The cracking was progressing slowly, so I decided to filter out the 6 character long passwords from rockyou.txt.

					grep '^......$' /usr/share/wordlists/rockyou.txt > rockyou-6.txt
hashcat -a 0 -m 1800 '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' rockyou-6.txt

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6

The tools identified this hash as SHA-1. However, it is a salted hash. So the hash mode 100 that is for raw SHA-1 hashes is not working in this case.

I searched in hashcat help for hash modes that can be used for salted SHA-1 hash.

Hashcat modes for salted SHA-1 hash

I also did some research, and found that the salt has to be specified after the hash, separated by a colon.

Then, I went through the above list of modes. What ended up working was mode 160.

The final command I used to crack this hash:

					hashcat -a 0 -m 160 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' /usr/share/wordlists/rockyou.txt


I decided to use hashcat to crack the hashes. I was able to crack 8 out of 9 passwords using the rockyou wordlist.
There was an MD4 hash that I could not crack with hashcat, because the password to be found was not in the wordlists that I tried. So I used the CrackStation website to solve that question.

For the last hash the salt had to be given as well. But after finding the right syntax, the cracking was just as easy as the previous ones.

Table of Contents

Notify of
Inline Feedbacks
View all comments

Related posts

Would love your thoughts, please comment.x