Skip to content

Hashcat⚓︎

Difficulty:
Direct link: https://hhc23-wetty.holidayhackchallenge.com?&challenge=hashcat

Objective⚓︎

Request

Eve Snowshoes is trying to recover a password. Head to the Island of Misfit Toys and take a crack at it!

Eve Snowshoes

I'm Eve Snowshoes, resident tech hobbyist, and I hear Alabaster is in quite the predicament.
Our dear Alabaster forgot his password. He's been racking his jingle bells of memory with no luck.
I've been trying to handle this password recovery thing parallel to this hashcat business myself but it seems like I am missing some tricks.
So, what do you say, chief, ready to get your hands on some hashcat action and help a distraught elf out?

Hints⚓︎

Solution⚓︎

This terminal challenge presents us a poem and a quest:

Poem 
In a realm of bytes and digital cheer,  
The festive season brings a challenge near.  
Santa's code has twists that may enthrall,  
It's up to you to decode them all.

Hidden deep in the snow is a kerberos token,  
Its type and form, in whispers, spoken.  
From reindeers' leaps to the elfish toast,  
Might the secret be in an ASREP roast?

`hashcat`, your reindeer, so spry and true,  
Will leap through hashes, bringing answers to you.  
But heed this advice to temper your pace,  
`-w 1 -u 1 --kernel-accel 1 --kernel-loops 1`, just in case.

For within this quest, speed isn't the key,  
Patience and thought will set the answers free.  
So include these flags, let your command be slow,  
And watch as the right solutions begin to show.

For hints on the hash, when you feel quite adrift,  
This festive link, your spirits, will lift:  
https://hashcat.net/wiki/doku.php?id=example_hashes

And when in doubt of `hashcat`'s might,  
The CLI docs will guide you right:  
https://hashcat.net/wiki/doku.php?id=hashcat

Once you've cracked it, with joy and glee so raw,  
Run /bin/runtoanswer, without a flaw.  
Submit the password for Alabaster Snowball,  
Only then can you claim the prize, the best of all.

So light up your terminal, with commands so grand,  
Crack the code, with `hashcat` in hand!  
Merry Cracking to each, by the pixelated moon's light,  
May your hashes be merry, and your codes so right!

Quest

Determine the hash type in hash.txt and perform a wordlist cracking attempt to find which password is correct and submit it to /bin/runtoanswer

"cat hash.txt" shows the content:

$krb5asrep$23$alabaster_snowball@XMAS.LOCAL:22865a2bceeaa73227ea4021879eda02$8f07417379e610e2dcb0621462fec3675bb5a850aba31837d541e50c622dc5faee60e48e019256e466d29b4d8c43cbf5bf7264b12c21737499cfcb73d95a903005a6ab6d9689ddd2772b908fc0d0aef43bb34db66af1dddb55b64937d3c7d7e93a91a7f303fef96e17d7f5479bae25c0183e74822ac652e92a56d0251bb5d975c2f2b63f4458526824f2c3dc1f1fcbacb2f6e52022ba6e6b401660b43b5070409cac0cc6223a2bf1b4b415574d7132f2607e12075f7cd2f8674c33e40d8ed55628f1c3eb08dbb8845b0f3bae708784c805b9a3f4b78ddf6830ad0e9eafb07980d7f2e270d8dd1966elf@a67a1099c7e7:~$

The hashcat wiki identifies the beginning of the hash "$krb5asrep$23"" as type 18200, "Kerberos 5, etype 23, AS-REP".

Furthermore, a file "password_list.txt" gives us 143 possible password patterns..

We start hashcat:

   hashcat -m 18200 -w 1 -u 1 --kernel-accel 1 --force hash.txt password_list.txt

and within seconds receive an answer:

   $krb5asrep$23$alabaster_snowball@XMAS.LOCAL:22865a2bceeaa73227ea4021879eda02$8f07417379e610e2dcb0621462fec3675bb5a850aba31837d541e50c622dc5faee60e48e019256e466d29b4d8c43cbf5bf7264b12c21737499cfcb73d95a903005a6ab6d9689ddd2772b908fc0d0aef43bb34db66af1dddb55b64937d3c7d7e93a91a7f303fef96e17d7f5479bae25c0183e74822ac652e92a56d0251bb5d975c2f2b63f4458526824f2c3dc1f1fcbacb2f6e52022ba6e6b401660b43b5070409cac0cc6223a2bf1b4b415574d7132f2607e12075f7cd2f8674c33e40d8ed55628f1c3eb08dbb8845b0f3bae708784c805b9a3f4b78ddf6830ad0e9eafb07980d7f2e270d8dd1966:IluvC4ndyC4nes!

   Session..........: hashcat
   Status...........: Cracked
   Hash.Type........: Kerberos 5 AS-REP etype 23
   Hash.Target......: $krb5asrep$23$alabaster_snowball@XMAS.LOCAL:22865a2...dd1966
   Time.Started.....: Sun Dec 10 18:10:31 2023 (0 secs)
   Time.Estimated...: Sun Dec 10 18:10:31 2023 (0 secs)
   Guess.Base.......: File (password_list.txt)
   Guess.Queue......: 1/1 (100.00%)
   Speed.#1.........:     1049 H/s (1.53ms) @ Accel:1 Loops:1 Thr:64 Vec:16
   Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
   Progress.........: 144/144 (100.00%)
   Rejected.........: 0/144 (0.00%)
   Restore.Point....: 0/144 (0.00%)
   Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-0
   Candidates.#1....: 1LuvCandyC4n3s!2022 -> iLuvC4ndyC4n3s!23!

   Started: Sun Dec 10 18:10:27 2023
   Stopped: Sun Dec 10 18:10:32 2023

The hash has been cracked, the password is in the line "Candidates.#1": iLuvC4ndyC4n3s!23! This has been derived from "1LuvCandyC4n3s!2022", a pattern in "password_list.txt".

Checking the answer:

   elf@3d3dd3c6db4b:~$ runtoanswer IluvC4ndyC4nes!
   Your answer: IluvC4ndyC4nes!

   Checking....
   Your answer is correct!

Images⚓︎

scenery

Answer

IluvC4ndyC4nes

Response⚓︎

Eve Snowshoes

Aha! Success! Alabaster will undoubtedly be grateful for our assistance.
Onward to our next adventure, comrade! Feel free to explore this whimsical world of gears and steam!