The challenge simple provides a text file:


This is clearly the shadow file (this is where passwords are stored in linux machines), so all there is to do iis to decrypt the hash.
By the hash's sugnature ($1$), I could determine that this is a MD5-crypt hash.

I wrote the following python script in order to brute force the password:

from passlib.hash import md5_crypt
import time

def check_md5_crypt(passwd, h):
return md5_crypt.verify(passwd, h)

HASH = "$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0"

#get a list of the possible passwords
passwords_file = open("../../rockyou.txt", 'r', encoding='latin-1')
passwords = []
for password in passwords_file:
p = password.strip()

print ("Starting...")
start = time.time()
for pwd in passwords:
if check_md5_crypt(pwd, HASH):
print ("==================\n"
f"{HASH} ===> {pwd}\n"
print (f"It took {time.time() - start} seconds to crack this hash")

print ("Couldn't crack this hash. Try a better dictionary")

After running the script, I immediately got a hit!



$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0 ===> batman


It took 0.2066807746887207 seconds to crack this hash

flag: Trollcat{batman}