CTFtime.org

Password Insecurities

by The_Arch_Pirate / Cult of the Octopus

Tags: exploit 

Rating:

# Password Insecurities | Exploitation

## Description
It looks like DEADFACE is going after the password of one of De Monne's customers: Haily Poutress. She has since changed her password, but De Monne is looking for ways to improve password requirements. De Monne would like you to crack the password from the database leak to determine if Haily's password was secure enough. Submit the flag as flag{password}.

Use the MySQL database dump from Body Count.

Download MySQL database dump

SHA1: 5867eeb1466b31eb8d361061fddd99700fc5d739

Password: d34df4c3

## File
- - -
You can find the SQL dump in:

ctf-writeups/DEADFACE/files/database/demonne.zip

## Solution
- - -
We can load the database and get the hash for Haily by running this statement:
```sql
SELECT cpw.passwd FROM customers AS cu
INNER JOIN cust_passwd AS cpw ON cpw.cust_pass_id = cu.cust_id
WHERE cu.first_name = "Haily" AND cu.last_name = "Poutress"
```

A team member was working on SQL challenges and they gave me the hash.Thanks to [Quantix](https://github.com/cftad/cftad).

Now that we have the hash we can dump it to a file to crack it with hashcat:
```
$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.
```

We can then crack this password. Let's refer to the [hashcat wiki](https://hashcat.net/wiki/doku.php?id=example_hashes) to get the correct hash mode. The hash seems to resemble the hashes for 400 and 500. After trying both we find out that 500 (md5crypt) is the correct mode. We will use rock you as input

Running this command will give us the flag:
`hashcat -m 500 hailie-hash /usr/share/wordlists/rockyou.txt`

```
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.:trustno1

Session..........: hashcat
Status...........: Cracked
Hash.Name........: md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
Hash.Target......: $1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.
Time.Started.....: Tue Oct 19 15:17:14 2021 (1 sec)
Time.Estimated...: Tue Oct 19 15:17:15 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19225 H/s (11.91ms) @ Accel:512 Loops:125 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: 123456 -> lovers1
Started: Tue Oct 19 15:17:13 2021
Stopped: Tue Oct 19 15:17:16 2021
```

## Flag
- - -
flag{trustno1}

- - -
Original writeup: https://github.com/TheArchPirate/ctf-writeups/blob/main/DEADFACE/exploitation/password-insecurities.md

Comments