Rating:

# Password Insecurities
![Category](http://img.shields.io/badge/Category-Exploitation-orange?style=for-the-badge) ![Points](http://img.shields.io/badge/Points-50-brightgreen?style=for-the-badge)

## Details

>It looks like DEADFACE is going after the password of one of De Monne's customers: Haily Poutress. She has since changed her password, but De Monne is looking for ways to improve password requirements. De Monne would like you to crack the password from the database leak to determine if Haily's password was secure enough. Submit the flag as
>`flag{password}`
>
>Use the MySQL database dump from Body Count.
>
>[Download MySQL database dump](https://tinyurl.com/r2cxnfua)
>SHA1: 5867eeb1466b31eb8d361061fddd99700fc5d739
>
>Password: `d34df4c3`
---

We can use the SQL database we imported in the Body Count challenge and query it to find the information we need.

```
MariaDB [demonne]> show tables;
+-------------------+
| Tables_in_demonne |
+-------------------+
| credit_cards |
| cust_passwd |
| customers |
| employee_passwd |
| employees |
| loan_types |
| loans |
| test |
+-------------------+
8 rows in set (0.000 sec)
```

We can see here that ther is a `cust_passwd` table, so lets take a closer look at that;

```
MariaDB [demonne]> describe cust_passwd;
+--------------+-------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------------+-------------+------+-----+---------+----------------+
| cust_pass_id | smallint(6) | NO | PRI | NULL | auto_increment |
| cust_id | smallint(6) | NO | MUL | NULL | |
| passwd | tinytext | NO | | NULL | |
+--------------+-------------+------+-----+---------+----------------+
```

Ok so to find the password we will first need to search for the right Customer ID.

We can do this by searching the Customers table using the info we have been given.

```
MariaDB [demonne]> select * from customers where last_name = 'Poutress';
+---------+-----------+------------+----------------------------+---------------------+------------+-------+---------+--------+--------+------------+
| cust_id | last_name | first_name | email | street | city | state | country | postal | gender | dob |
+---------+-----------+------------+----------------------------+---------------------+------------+-------+---------+--------+--------+------------+
| 7117 | Poutress | Haily | [email protected] | 15212 Westport Hill | Ocala | FL | US | 34479 | M | 03/12/1995 |
| 9175 | Poutress | Bobby | [email protected] | 4219 Express Circle | Saint Paul | MN | US | 55166 | M | 03/15/1978 |
+---------+-----------+------------+----------------------------+---------------------+------------+-------+---------+--------+--------+------------+
2 rows in set (0.008 sec)
```

Then we use the corret cust_id to find the associated password;

```
MariaDB [demonne]> select * from cust_passwd where cust_id = '7117';
+--------------+---------+------------------------------------+
| cust_pass_id | cust_id | passwd |
+--------------+---------+------------------------------------+
| 7117 | 7117 | $1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq. |
+--------------+---------+------------------------------------+
1 row in set (0.015 sec)
```

Now we have the hash, we need to see what type of hash it is. To do this we can use the `hashid` tool.

```
❯ hashid '$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.'
Analyzing '$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.'
[+] MD5 Crypt
[+] Cisco-IOS(MD5)
[+] FreeBSD MD5
```

Now that we know it's likley to be an md5crypt hash we can try to crack it using hashcat (with mode 500)

> _To identify which mode you should use you can go to [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) to see example hashes and which mode is used for which type of hash_

So we can run `haschact -m500 '$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.' --wordlist ./rockyou.txt`, Which cracks the password as;

```
$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.:trustno1
```

So the flag is;

## flag{trustno1}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Exploitation/Password%20Insecurities%20(50%20Points).md).