narancs's blog

TryHackMe – Crack the hash walkthrough

Introduction

TryHackme Crack the hash room logo

In this post I am showing how I solved the Crack the hash room on TryHackMe. Our task is to crack the 9 given hashes. The hashes are of different types, e.g. MD5, SHA1, bcrypt and there are 2 salted hashes as well.

Level 1

To identify the type of hashes, I used hashid and hash-identifier tools on Kali Linux. The -m flag for hashid shows the corresponding Hashcat mode as well in the output. Then, I used hashcat to crack the hashes using rockyou.txt wordlist.

48bb6e862e54f2a795ffc4e541caed4d

This is an MD5 hash. The hash mode for MD5 in hashcat is 0.

				
					hashcat -a 0 -m 0 '48bb6e862e54f2a795ffc4e541caed4d' /usr/share/wordlists/rockyou.txt
				
			

CBFDAC6008F9CAB4083784CBD1874F76618D2A97

This is a SHA-1 hash. The hash mode for raw SHA-1 hash is 100.

				
					hashcat -a 0 -m 100 'CBFDAC6008F9CAB4083784CBD1874F76618D2A97' /usr/share/wordlists/rockyou.txt
				
			

1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

This was identified as a SHA-256 hash. The corresponding hash mode for hashcat is 1400.

				
					hashcat -a 0 -m 1400 '1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032' /usr/share/wordlists/rockyou.txt
				
			

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

The hash-identifier tool was not able to identify the hash type. The hashid tool returned 3 results:

  • Blowfish(OpenBSD) [Hashcat Mode: 3200]
  • Woltlab Burning Board 4.x
  • bcrypt [Hashcat Mode: 3200]

The mode 3200 worked fine. However, this type of hash takes longer to crack. Since we can see that the answer is 4 characters long, we can grep for lines in rockyou.txt that are 4 characters long and use the result as wordlist.

				
					grep '^....$' /usr/share/wordlists/rockyou.txt > rockyou-4.txt
hashcat -a 0 -m 3200 '$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom' rockyou-4.txt
				
			

279412f945939ba78ce0758d3fd83daa

The tools showed that this hash is most likely an MD5 or MD4 hash. However, I was not able to crack it. The task hint also shows us that it is MD4 hash. So hashcat failed to crack the password because it was not in the rockyou wordlist. Then, I tried using other wordlists as well with no luck.

Brute-forcing the password would have taken too long, as it is 10 characters long. Finally, I tried https://crackstation.net/ and it was able to find the password.

Level 2

Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

This is also a SHA2-256 hash like the 3rd hash from Level 1.

				
					hashcat -a 0 -m 1400 'F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85' /usr/share/wordlists/rockyou.txt
				
			

Hash: 1DFECA0C002AE40B8619ECF94819CC1B

This is an NTLM hash. The corresponding hashcat mode is 1000.

				
					hashcat -a 0 -m 1000 '1DFECA0C002AE40B8619ECF94819CC1B' /usr/share/wordlists/rockyou.txt
				
			

Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

This was identified as a SHA-512 Crypt hash. Hashcat mode is 1800.

The cracking was progressing slowly, so I decided to filter out the 6 character long passwords from rockyou.txt.

				
					grep '^......$' /usr/share/wordlists/rockyou.txt > rockyou-6.txt
hashcat -a 0 -m 1800 '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' rockyou-6.txt
				
			

Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6

The tools identified this hash as SHA-1. However, it is a salted hash. So the hash mode 100 that is for raw SHA-1 hashes is not working in this case.

I searched in hashcat help for hash modes that can be used for salted SHA-1 hash.

Hashcat modes for salted SHA-1 hash

I also did some research, and found that the salt has to be specified after the hash, separated by a colon.

Then, I went through the above list of modes. What ended up working was mode 160.

The final command I used to crack this hash:

				
					hashcat -a 0 -m 160 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' /usr/share/wordlists/rockyou.txt
				
			

Summary

I decided to use hashcat to crack the hashes. I was able to crack 8 out of 9 passwords using the rockyou wordlist.
There was an MD4 hash that I could not crack with hashcat, because the password to be found was not in the wordlists that I tried. So I used the CrackStation website to solve that question.

For the last hash the salt had to be given as well. But after finding the right syntax, the cracking was just as easy as the previous ones.

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x