# Crack the Hash

{% embed url="<https://tryhackme.com/room/crackthehash>" %}

##

## Task 1: Level 1

### 48bb6e862e54f2a795ffc4e541caed4d

* Before we crack the hash we have to find its type.
* Using `hash-identifier` we can identify the possible hash type.

```
$ hash-identifier 48bb6e862e54f2a795ffc4e541caed4d        
--------------------------------------------------

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
```

* Let's save the hash to a file.

```
$ echo "48bb6e862e54f2a795ffc4e541caed4d" > hash1.txt
```

* Now we have to find the hash-mode for a MD5 hash.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FB4MMwu4Dpgo3yQjUX4XK%2F1.png?alt=media&#x26;token=a8dfc645-a464-4848-839d-53f8160e1585" alt=""><figcaption></figcaption></figure>

* We are now ready to crack the hash using `hashcat`.

```
$ hashcat -a 0 -m 0 hash1.txt /usr/share/wordlists/rockyou.txt 

48bb6e862e54f2a795ffc4e541caed4d:easy  
```

* We can also crack the hash using `john`.

```
$ john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
easy             (?)     
1g 0:00:00:00 DONE (2023-12-08 21:44) 5.000g/s 862080p/s 862080c/s 862080C/s erinbear..eagames
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 
```

### Answer

```
easy
```

###

### CBFDAC6008F9CAB4083784CBD1874F76618D2A97

* Let's identify the hash type using `hash-identifier`.

```
$ hash-identifier CBFDAC6008F9CAB4083784CBD1874F76618D2A97
--------------------------------------------------

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
```

* The mode for SHA-1 in `hashcat` is `100`.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FzxobYfI3Vo8iq2NvZVT7%2F2.png?alt=media&#x26;token=76f71b3a-f1ad-49de-a755-bab738e33293" alt=""><figcaption></figcaption></figure>

```
$ hashcat-a 0 -m 100 hash2.txt /usr/share/wordlists/rockyou.txt              

cbfdac6008f9cab4083784cbd1874f76618d2a97:password123 
```

* We can crack the hash now using the `Raw-SHA1` format for `john`.

```
$ john --format=Raw-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 SSE2 4x])
Warning: no OpenMP support for this hash type, consider --fork=3
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (?)     
1g 0:00:00:00 DONE (2023-12-08 21:49) 7.142g/s 9885p/s 9885c/s 9885C/s liberty..password123
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed. 
```

### Answer

```
password123
```

###

### 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

* We can crack the hash using `hash-identifier`.

```
$ hash-identifier 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032
--------------------------------------------------

Possible Hashs:
[+] SHA-256
[+] Haval-256
```

* Let's save it to a file.

```
$ echo "1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032" > hash3.txt
```

* The mode for SHA-256 in `hashcat` is `1400`.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FbN9BWSHoKpq2yCaM7hRQ%2F3.png?alt=media&#x26;token=39d18262-566b-40f5-8186-113dbd5e40fe" alt=""><figcaption></figcaption></figure>

```
$ hashcat -a 0 -m 1400 hash3.txt /usr/share/wordlists/rockyou.txt

1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032:letmein
```

* The format for `john` will be `Raw-SHA256`.

```
$ john --format=Raw-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt hash3.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 128/128 SSE2 4x])
Warning: poor OpenMP scalability for this hash type, consider --fork=3
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (?)     
1g 0:00:00:00 DONE (2023-12-08 21:53) 16.66g/s 409600p/s 409600c/s 409600C/s 123456..280789
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed. 
```

### Answer

```
letmein
```

###

### $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

* `hash-identifier` is not able to identify the type of this hash.
* We will have to use another tool called Hash Analyzer.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FVighTNJQlc7iRs8gzb3H%2F4.png?alt=media&#x26;token=884cd9c3-2873-46b2-afc6-870e702e288c" alt=""><figcaption></figcaption></figure>

* The hash-mode for Bcrypt is `3200`.
* We know that the password is four characters long, so let's filter the `rockyou.txt` file.

```
$ egrep -x '.{4}' /usr/share/wordlists/rockyou.txt > filtered.txt
```

* Our filtered list only has passwords that are 4 characters long.
* We can now use this filtered list to crack the hash.

```
$ hashcat -a 0 -m 3200 hash4.txt filtered.txt -w 4 -S

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom:bleh
```

### Answer

```
bleh
```

###

### 279412f945939ba78ce0758d3fd83daa

* Let's identify the type using Hash Analyzer.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2F7NcUkLRZ3qPWIv1zySXs%2F6.png?alt=media&#x26;token=7fa4cfe6-60ae-4416-ba56-bbc99f6ad006" alt=""><figcaption></figcaption></figure>

* This time let's use CrackStation to crack the hash.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2F8IC9n7a1nZRkGVvLqQdD%2F8.png?alt=media&#x26;token=c11fc17f-8541-4b2a-87bb-9a3d5f2111ee" alt=""><figcaption></figcaption></figure>

### Answer

```
Eternity22
```

##

## Task 2: Level 2

### Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

* Let's use `hash-identifier` to get the hash type.

```
$ hash-identifier F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85
--------------------------------------------------

Possible Hashs:
[+] SHA-256
[+] Haval-256
```

* Since we know that the mode for SHA-256 is `1400`, let's just try that first.

```
$ hashcat -a 0 -m 1400 hash6.txt /usr/share/wordlists/rockyou.txt

f09edcb1fcefc6dfb23dc3505a882655ff77375ed8aa2d1c13f640fccc2d0c85:paule
```

### Answer

```
paule
```

###

### Hash: 1DFECA0C002AE40B8619ECF94819CC1B

* CrackStation gives us the password.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FYf8rzhxYEzd0eMi2YHdF%2F9.png?alt=media&#x26;token=084255aa-c163-4a04-bb64-09035add5f26" alt=""><figcaption></figcaption></figure>

### Answer

```
n63umy8lkf4i
```

###

### Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. Salt: aReallyHardSalt

* The `$6$` tells us that this is a SHAcrypt512 hash the mode for which is `1800`.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FbP9hI4GudF2RC5AKGvCU%2F10.png?alt=media&#x26;token=ba50d69a-b24d-44da-a2e0-d342659f4bac" alt=""><figcaption></figcaption></figure>

* This time we have to filter for passwords that six characters long.

```
$ egrep -x '.{6}' /usr/share/wordlists/rockyou.txt > filtered.txt
```

* Let's run `hashcat` with the correct mode.

```
$ hashcat -m 1800 hash7.txt filtered.txt -w 4 -S

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.:waka99
```

### Answer

```
waka99
```

###

### Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6 Salt: tryhackme

* Let's identify the hash using `hash-identifier`.

```
$ hash-identifier e5d8870e5bdd26602cab8dbe07a942c8669e56d6                                                                
--------------------------------------------------

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
```

* For SHA-1, the mode we will be using is `160`.

```
$ hashcat -a 0 -m 160 'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme' /usr/share/wordlists/rockyou.txt

e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme:481616481616
```

### Answer

```
481616481616
```