Rating:

## Open-Source Intelligence/A Harsh Reality of Passwords (28 solves)
Created by: `Lychi`
> Recently, Iris's company had a breach. Her password's hash has been exposed. This challenge is focused on understanding Iris as a person. The flag format is irisctf{plaintextPassword}. Hash: `$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC`

Hint Given:
> Focus on Iris and what she finds important!
There are three words (not letters, but words), and a certain amount of numbers following it
There's no leet words, proper capitalization nothing like (ExAmPLE), no special characters as well like -,! etc.

We start with a hash (`$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC`) that is a `bcrypt $2*$, Blowfish (Unix)` hash.

We know we need to use 3 words, and some numbers following it. A few posts are of interest for our password.

Firstly, the one about her Mum.

![Mimosas](https://seall.dev/images/ctfs/irisctf2024/pb_3.png)

We can see that she calls her Mothers birthday a 'very important date', I think those are our numbers.

![Tiramisu](https://seall.dev/images/ctfs/irisctf2024/ahrop_1.png)

Here, she expresses her 'obsession' with Tiramisu, thats going on the wordlist.

![Portofino](https://seall.dev/images/ctfs/irisctf2024/ahrop_2.png)

In this post she talks about a specific place in Italy, Portofino.

She expresses in a few other posts some places she's been, things she likes, etc. In the end I construct the following list of words from posts and who they follow.

```
netherland
italy
berlin
tiramisu
czechia
mimosa
portofino
swan
swarovski
crystal
starbuck
milan
conte
ugolino
sunrise
sunset
karadenizli
maceraci
iris
stein
station
elaina
lenox
hill
hospital
food
traveling
sunny
sanfrancisco
```

I then write a Python script to generate all our combinations and appropriate 'variants' (eg. portofino = Portofino,portofinos,Portofinos,portofino), and the date at the end is following a mmddyyyy format (due to the organisers being mainly from the US).

We have to consider that when people use dates in passwords they are not always going to use a perfect format with 0's, so there are possibilities.

```python
numbers=['481965','0481965','04081965','4081965']
import os

c=0
with open('wordlistfinal.txt','w') as ff:
with open('words.txt','r') as f:
data=f.readlines()
newdata=[]
for x in data:
newdata.append(x.title())
newdata.append(x.title()+'s')
newdata.append(x+'s')
newdata.append(x)
data=newdata
for x in data:
for y in data:
for z in data:
for n in numbers:
pw=x.replace('\n','')+y.replace('\n','')+z.replace('\n','')+n
ff.write(pw+'\n')
c+=1
print(f'Found {c} new passwords.')
```

```
$ python3 wordgen.py
Found 6243584 new passwords.
```

Now we wait, and crack with hashcat, until we get a hit!

```
$ hashcat -m 3200 hash wordlist.txt
...
$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC:PortofinoItalyTiramisu0481965
```

There's our password, and therefore our flag! `irisctf{PortofinoItalyTiramisu0481965}`

**Files:** None provided :(

Original writeup (https://seall.dev/posts/irisctf2024/#open-source-intelligencea-harsh-reality-of-passwords-28-solves).