____ ___ _____ __ ____ ___ \ \/ // ____\____ ___ _______ _/ |______ \ \/ / \ /\ __\\__ \\ \/ /\__ \\ __\__ \ \ / / \ | | / __ \\ / / __ \| | / __ \_/ \ /___/\ \|__| (____ /\_/ (____ /__| (____ /___/\ \ \_/ \/ \/ \/ \_/
I stole this sensitive document that contains some really important board notes. I have a feeling I can get some serious insight on stonks here.
There are a few things I know about the person I stole it from. He likes animals, he likes to speak like he's a hacker to make himself seem cool, and he was born in 1972. I hope that helps.
Can you help me crack it? I will make sure to share some of the profits.
We are given a .docx file to download that contains the flag, but is password protected. The first thing we will
need to do is use a program called
office2john to get the hash.
This program will create a hash file that you can then use to crack the password. Once we have our hash
file, we can look at it and see that our has is for Office 2013. We will use the -m 9600
option for hashcat to signify this.
Board_Meeting_Notes.docx:$office$*2013*100000*256*16*e6e06de5805713d...
Next we will need a list of animals to use to begin to create our wordlist. A quick google search landed me on an animals.txt file available on github. Once we have this list we need to convert the animal names to "hacker speak." John the ripper has a l33t rule list that will convert for you, but I decided to take a different approach.
Another quick google search led me to github and the permuteWordlist.py
program. It
did not convert the words quite the way I wanted to, but it took me only a few minutes to add in the
rules that I wanted and to remove the ones I didn't need. I also modified the program to make sure all
the passwords that it output were in lowercase.
# coding=utf-8
import argparse
leetDict = {
'i': ['i', '1'],
'l': ['l', '1',],
'o': ['o', '0'],
'a': ['a', '4'],
'e': ['e', '3'],
's': ['s', '5'],
't': ['t', '7']
}
def permute(dictWord):
if len(dictWord) > 0:
currentLetter = dictWord[0].lower()
restOfWord = dictWord[1:]
if currentLetter in leetDict:
substitutions = leetDict[currentLetter] + [currentLetter]
else:
substitutions = [currentLetter]
if len(restOfWord) > 0:
perms = [s + p for s in substitutions for p in permute(restOfWord)]
else:
perms = substitutions
return perms
parser = argparse.ArgumentParser(description='Permutate words of a wordlist.')
parser.add_argument('input_file', help='an input wordlist')
parser.add_argument('output_file', help='an output file for permuted wordlist')
args = parser.parse_args()
bplf = open(args.input_file, 'r')
profaneWords = bplf.read().splitlines()
bplf.close()
pplf = open(args.output_file, "w")
print 'Working...'
for profaneWord in profaneWords:
pplf.writelines([p + '\n' for p in permute(profaneWord)])
pplf.close()
print 'Done.'
This gave me a very large list of passwords to try, and said it would take several hours to go
through all of them. I decided to try sort
and uniq
to see if there were any
duplicates and to remove them. This took the list down signifigantly, to where it would only
take around 6 minutes to go through.
The last thing we have to do is append 1972 onto the end of all of our animal names. I wasn't sure
if it would be 1972 or just 72, but now that I have a smaller list, I could at least try both if the
first one didn't work. I made a rule.lst
file with $1$9$7$2
inside to add the
dates for me. We need to specify --username
at the command line to tell hashcat to ignore
the username field in the hash.
kali@kali:~/Downloads$ hashcat -a 0 -m 9600 --username hash.txt smalllist.txt -r rule.lst
After about two minutes we come up with d0lph1n1972
as the password and are able to open the document to get our flag.
MetaCTF was a lot of fun, and probably the best CTF I have participated in to date. The challenges were just hard enough to keep me engaged, while not so hard that I became overwhelmed or gave up. I look forward to participating in more of their challenges in the future.