WargamesMY CTF 2018: Missing Word
The challenge in WargamesMY CTF 2018 require us to crack a portion of the flag which is the missing 6 characters consist of upper case and lower case denominate as XXXXXX as per below:
wgmy{h3r3_1s_y0ur_XXXXXX_br0!}
The SHA256 hashsum of the complete flag were given.
86775fe0718f57c5bcc3c32c198ece3e6a732406e3f32e3aa285059247da6652
Obviously it is a password cracking challenge therefore we will be using Hashcat for this task.
First, we need to generate a custom wordlists. We simply use this Python Wordlist Generator script found on github. (I promise i will learn more later how to generate wordlists using Hashcat itself :P)
We modified the code a bit to suit the requirement.
But it seems like it will take forever and the output wordlists size were huge. Then the idea is to split the wordlists into 2 part and generate only the last 3 character for the first part while generate only the first 3 character for the second part of the wordlists. We will use Hashcat combinator mode (-a 1) later.
1 2 3 4 5 |
# first part wgmy{h3r3_1s_y0ur_XXX $ python3 wgen.py -chr=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -min=3 -max=3 -out=output/left.txt # second part XXX_br0!} $ python3 wgen.py -chr=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -min=3 -max=3 -out=output/right.txt |
Finish generated both part of the wordlists within few seconds and total file size only less than 5mb this time.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ du -h Python-Wordlist-Generator/output/*.txt 3.0M Python-Wordlist-Generator/output/left.txt 1.3M Python-Wordlist-Generator/output/right.txt $ less 100 Python-Wordlist-Generator/output/left.txt wgmy{h3r3_1s_y0ur_aaa wgmy{h3r3_1s_y0ur_aab wgmy{h3r3_1s_y0ur_aac wgmy{h3r3_1s_y0ur_aad wgmy{h3r3_1s_y0ur_aae wgmy{h3r3_1s_y0ur_aaf --- snip --- $ less 100 Python-Wordlist-Generator/output/left.txt aaa_br0!} aab_br0!} aac_br0!} aad_br0!} aae_br0!} aaf_br0!} --- snip --- |
Let’s crack it!
Hashcat argument:
-a 1 : combinator mode (combine both wordlists)
-m 1400 : cracking sha256 mode
missing_word.hash : the sha256 hash file
left.txt : first part of the wordlists
right.txt : second part of the wordlists
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
$ hashcat -a 1 -m 1400 missing_word.hash Python-Wordlist-Generator/output/left.txt Python-Wordlist-Generator/output/right.txt hashcat (v4.2.1) starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-3615QM CPU @ 2.30GHz, skipped. * Device #2: HD Graphics 4000, 384/1536 MB allocatable, 16MCU * Device #3: GeForce GT 650M, 256/1024 MB allocatable, 2MCU Dictionary cache hit: * Filename..: Python-Wordlist-Generator/output/left.txt * Passwords.: 140608 * Bytes.....: 3093376 * Keyspace..: 140608 Dictionary cache built: * Filename..: Python-Wordlist-Generator/output/right.txt * Passwords.: 140608 * Bytes.....: 1406080 * Keyspace..: 140608 * Runtime...: 0 secs Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable optimizers: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 ATTENTION! Pure (unoptimized) OpenCL kernels selected. This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance. If you want to switch to optimized OpenCL kernels, append -O to your commandline. Watchdog: Temperature abort trigger disabled. Dictionary cache hit: * Filename..: Python-Wordlist-Generator/output/left.txt * Passwords.: 140608 * Bytes.....: 3093376 * Keyspace..: 19770609664 [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => |
With less than hour (22 minutes to be exact) we managed to crack it and we got first blood for the challenge.
Flag : wgmy{h3r3_1s_y0ur_pRiZEe_br0!}
Update: As mentioned above, here is the way how we can solve this challenge using Hashcat.
Hashcat with GPU:
1 |
hashcat -m1400 -a3 -1 ?l?u 86775fe0718f57c5bcc3c32c198ece3e6a732406e3f32e3aa285059247da6652 wgmy{h3r3_1s_y0ur_?1?1?1?1?1?1_br0\!} -O -w3 --gpu-temp-disable |