HashCrack Challenge Writeup

Challenge Overview

Challenge Name: hashcrack
Difficulty: Beginner/Intermediate
Category: Cryptography

Description:
A company stored a secret message on a server which got breached due to the admin using weakly hashed passwords. Can you gain access to the secret stored within the server?

Initial Analysis

When I first accessed the challenge, I was greeted with:

Welcome!! Looking For the Secret?
We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38

The first step in any hash cracking challenge is to identify what type of hash we're dealing with. Looking at this hash:

• Length: 32 hexadecimal characters
• Format: All lowercase hex digits (0-9, a-f)
• Algorithm: MD5 (based on the 32-character length)

Stage 1: Cracking the MD5 Hash

Since the challenge description mentioned "weakly hashed passwords," I knew this was likely a common password that could be found in hash databases.

I used CrackStation.net to look up the hash 482c811da5d5b4bc6d497ffa98491e38.

The result showed that the password was: password123

Enter the password for identified hash: password123
Correct! You've cracked the MD5 hash with no secret found!

Great! One down, but no flag yet.

Stage 2: The SHA-1 Challenge

The challenge then presented me with a second hash:

Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3

Hash analysis:

• Length: 40 hexadecimal characters
• Algorithm: SHA-1

Again, I used CrackStation.net to crack this hash.

The password was: letmein

Enter the password for the identified hash: letmein
Correct! You've cracked the SHA-1 hash with no secret found!

Still no flag, but we're making progress!

Stage 3: The Final SHA-256 Hash

The final challenge presented:

Almost there!! Crack this hash: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745

Hash analysis:

• Length: 64 hexadecimal characters
• Algorithm: SHA-256

Once more, CrackStation.net came to the rescue.

The password was: qwerty098

Enter the password for the identified hash: qwerty098
Correct! You've cracked the SHA-256 hash with a secret found. 
The flag is: picoCTF{UseStr0nG_h@shEs_&PaSswDs!_36a1cf73}

Success! We found the flag!

Alternative Methods

While I used CrackStation.net for this challenge, there are several other approaches you could take:

Command Line Tools

Hashcat:

# For MD5
hashcat -m 0 -a 0 hash.txt rockyou.txt

# For SHA-1  
hashcat -m 100 -a 0 hash.txt rockyou.txt

# For SHA-256
hashcat -m 1400 -a 0 hash.txt rockyou.txt

John the Ripper:

# For MD5
john --format=raw-md5 hash.txt

# For SHA-1
john --format=raw-sha1 hash.txt

# For SHA-256  
john --format=raw-sha256 hash.txt

Other Online Tools

• HashKiller.io
• MD5Decrypt.net
• OnlineHashCrack.com

Key Learnings

1. Hash Identification: Understanding hash lengths and formats is crucial:

   • MD5: 32 hex characters
   • SHA-1: 40 hex characters
   • SHA-256: 64 hex characters

2. Weak Passwords: All three passwords (password123, letmein, qwerty098) were common, weak passwords that appear in most password dictionaries.

3. Progressive Difficulty: The challenge used increasingly stronger hash algorithms (MD5 → SHA-1 → SHA-256), but all were crackable due to weak password choices.

4. Multiple Stages: Sometimes CTF challenges require multiple steps before revealing the final flag.

Flag

picoCTF{UseStr0nG_h@shEs_&PaSswDs!_36a1cf73}

Conclusion

This challenge was an excellent introduction to hash identification and cracking. The key takeaway from the flag itself - "UseStr0nG_h@shEs_&PaSswDs!" - emphasizes the importance of using strong hashing algorithms combined with strong passwords. Even SHA-256, while cryptographically secure, becomes vulnerable when paired with weak, dictionary-based passwords.

The challenge effectively demonstrated why organizations should:

• Use strong, complex passwords
• Implement proper password policies
• Use appropriate hashing algorithms with salt
• Never rely on hash algorithm strength alone if passwords are weak