Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Post by cyberdrain on Sun Feb 01, 2015 8:15 pm
([msg=86551]see Re: Please ask questions ONLY in this topic.[/msg])

IJustNeedANick wrote:And the hash in this mission has the format as follows: myName:$1$TuALdnrn$4UejZU8GfgJZArid43J7X/

Look up the different types of hashes that can be created by the UNIX function you named. While you were correct only those hashes are allowed, it can generate a few more.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by IJustNeedANick on Mon Feb 02, 2015 2:38 pm
([msg=86569]see Re: Please ask questions ONLY in this topic.[/msg])

Could you please explain me how that .htpasswd file can exist in real life?

Here's my guess:

1. Password record is generated by htpasswd utility as follows:
Code: Select all
htpasswd -nbd username password

1a. "-d" key is specified, so htpasswd is using crypt() function available in OS.

1b. crypt() function takes two arguments: password and salt. Default encryption mode is DES, not MD5. Modern versions of crypt() support additional algorithms including MD5. To use any algorithm different from DES, corresponding number must be passed as a part of the salt parameter, e.g.
Code: Select all
crypt("password", "$1$salt")

1c. Salt used in MD5 algorythm can be of any length, but only its first 8 bytes (symbols) are used. If specified salt is shorter than 8 symbols, dot symbols ('.') are used to fill salt up to 8 symbols.

1d. crypt()function is called by htpasswd utility. Function returns hash in the following format:
Code: Select all
$1$TuALdnrn$4UejZU8GfgJZArid43J7X/

1e. htpasswd utility takes this hash and appends it to the username, resulting in combination of username, algorythm signature, salt and hash:
Code: Select all
username:$1$TuALdnrn$4UejZU8GfgJZArid43J7X/

1f. This string goes to the Apache .htpasswd file.


2. During verifying user's credentials, Apache:

2a. Reads the string from .htpasswd file.

2b. Parses this string, identifying hash type by "$1$" signature;

2c. Calls system crypt() function with password provided by user and salt provided by .htpasswd file.

2d. Compares the result and permits/denies access depending on result.

-------------------------
Am I right or there are errors in my explanation?
I just can't inderstand step 1d. As I suppose after reading Apache documentation, htpasswd should call crypt() with default parameters, without "$1" substring in salt, so that type of hash cannot be generated by htpasswd.
And if it is generated by some other tool, then I can't understand how Apache knows what type of hash is it dealing with. Or it just has a couple of signatures to match .htpasswd file contents with?
Last edited by IJustNeedANick on Mon Feb 02, 2015 2:42 pm, edited 3 times in total.
IJustNeedANick
New User
New User
 
Posts: 3
Joined: Sun Sep 28, 2014 11:02 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Ayr3s on Mon Feb 02, 2015 2:40 pm
([msg=86570]see Re: Please ask questions ONLY in this topic.[/msg])

I cracked the hash with JTR but I also left hashcat bruteforcing it to see how that would go:
It did crack the hash, but it took about 3,5 hours with 2 threads. And that was using the correct charset (not all ASCII) and knowing the correct lenght of the password. Bottomline, bruteforcing is not the way to go for this mission, dictionary attack with JTR takes about 4 seconds :mrgreen:
User avatar
Ayr3s
New User
New User
 
Posts: 29
Joined: Mon Feb 02, 2015 2:34 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by cyberdrain on Mon Feb 02, 2015 5:36 pm
([msg=86573]see Re: Please ask questions ONLY in this topic.[/msg])

IJustNeedANick wrote:Could you please explain me how that .htpasswd file can exist in real life?

...

And if it is generated by some other tool, then I can't understand how Apache knows what type of hash is it dealing with. Or it just has a couple of signatures to match .htpasswd file contents with?
IJustNeedANick wrote:Can someone tell me if Apache can use and "understand" that type of hashes?

I guess I was a bit short on answering here. I meant that the hashes in the .htpasswd file can be created by crypt() outside of those provided by htpasswd (the program). Apache falls back on the crypt() function if it is available (as is the case in Linux) and thereby uses the salt and password parameters given in the file with that function. So while htpasswd (the program) cannot generate the file you found, the .htpasswd file generated using other means can exist and works with Apache. Here's a reference as an example. I hope I cleared that up for you. :)
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by IJustNeedANick on Tue Feb 03, 2015 11:15 am
([msg=86583]see Re: Please ask questions ONLY in this topic.[/msg])

cyberdrain wrote:I hope I cleared that up for you. :)


Absolutely.
Thank you very much for explaining this to me!
IJustNeedANick
New User
New User
 
Posts: 3
Joined: Sun Sep 28, 2014 11:02 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by bobdabiulder on Sat Apr 18, 2015 12:46 pm
([msg=87765]see Re: Please ask questions ONLY in this topic.[/msg])

I found the admin directory, now I need to bypass the popup... Or use the showimage.php to view the .h******s file, though I can't get it to show. Do I use blahblahblah.com/stuff/stuff/showimages.php?file=.h******s?
bobdabiulder
New User
New User
 
Posts: 1
Joined: Sat Apr 18, 2015 12:44 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by molanDankil on Sat May 16, 2015 2:08 am
([msg=88069]see Re: Please ask questions ONLY in this topic.[/msg])

I must have beaten my head against the keyboard for hours on this one... the past few days I've been stumped but I FINALLY have the hash!!!!

Got it saved so I can crack it later :)

Like watching a Frisbee, perplexed as it glided through the air... then it hit me... :shock:

For those at the showimage.php?=file spot... you are close... reach your tongue out and taste the hash...
"Intelligence is the ability to adapt to change..." --Professor Stephen Hawking
User avatar
molanDankil
New User
New User
 
Posts: 9
Joined: Wed May 13, 2015 12:49 am
Location: WA
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by CTPAHHuK on Sat Jul 25, 2015 10:03 am
([msg=89105]see Re: Please ask questions ONLY in this topic.[/msg])

NIce challenge!
CTPAHHuK
New User
New User
 
Posts: 2
Joined: Sat Jul 18, 2015 8:40 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by hendo001 on Sat Jul 25, 2015 10:12 am
([msg=89106]see Re: Please ask questions ONLY in this topic.[/msg])

Hey guys,

Thank you for a great and informative website.


Managed to do this yay!
hendo001
New User
New User
 
Posts: 1
Joined: Sat Jul 25, 2015 8:19 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Greydon on Sun Aug 09, 2015 9:42 am
([msg=89281]see Re: Please ask questions ONLY in this topic.[/msg])

Why do you all have problems with decrypting? I used John the Ripper and it was cracked in literally 0:00 time with just one single guess....
Greydon
New User
New User
 
Posts: 5
Joined: Sat Jun 06, 2015 9:02 am
Blog: View Blog (0)


PreviousNext

Return to (Real 7) What's Right For America

Who is online

Users browsing this forum: No registered users and 0 guests