____  ___ _____                     __         ____  ___
\   \/  // ____\____ ___  _______ _/  |______  \   \/  /
 \     /\   __\\__  \\  \/ /\__  \\   __\__  \  \     / 
 /     \ |  |   / __ \\   /  / __ \|  |  / __ \_/     \ 
/___/\  \|__|  (____  /\_/  (____  /__| (____  /___/\  \
      \_/           \/           \/          \/      \_/

home :: mail :: twitter

---===/// MetaCTF - Board Meeting Gone Wrong ///===---

I stole this sensitive document that contains some really important board notes. I have a feeling I can get some serious insight on stonks here.

There are a few things I know about the person I stole it from. He likes animals, he likes to speak like he's a hacker to make himself seem cool, and he was born in 1972. I hope that helps.

Can you help me crack it? I will make sure to share some of the profits.


We are given a .docx file to download that contains the flag, but is password protected. The first thing we will need to do is use a program called office2john to get the hash. This program will create a hash file that you can then use to crack the password. Once we have our hash file, we can look at it and see that our has is for Office 2013. We will use the -m 9600 option for hashcat to signify this.

Board_Meeting_Notes.docx:$office$*2013*100000*256*16*e6e06de5805713d...

Next we will need a list of animals to use to begin to create our wordlist. A quick google search landed me on an animals.txt file available on github. Once we have this list we need to convert the animal names to "hacker speak." John the ripper has a l33t rule list that will convert for you, but I decided to take a different approach.

Another quick google search led me to github and the permuteWordlist.py program. It did not convert the words quite the way I wanted to, but it took me only a few minutes to add in the rules that I wanted and to remove the ones I didn't need. I also modified the program to make sure all the passwords that it output were in lowercase.

# coding=utf-8

import argparse

leetDict = {
  'i': ['i', '1'],
  'l': ['l', '1',],
  'o': ['o', '0'],
  'a': ['a', '4'],
  'e': ['e', '3'],
  's': ['s', '5'],
  't': ['t', '7']
}

def permute(dictWord):
  if len(dictWord) > 0:
    currentLetter = dictWord[0].lower()
    restOfWord = dictWord[1:]

    if currentLetter in leetDict:
        substitutions = leetDict[currentLetter] + [currentLetter]
    else:
        substitutions = [currentLetter]

    if len(restOfWord) > 0:
      perms = [s + p for s in substitutions for p in permute(restOfWord)]
    else:
      perms = substitutions
    return perms

parser = argparse.ArgumentParser(description='Permutate words of a wordlist.')                                                                                                                     
parser.add_argument('input_file', help='an input wordlist')                                                                                                                                        
parser.add_argument('output_file', help='an output file for permuted wordlist')                                                                                                                    

args = parser.parse_args()

bplf = open(args.input_file, 'r')
profaneWords = bplf.read().splitlines()
bplf.close()

pplf = open(args.output_file, "w")

print 'Working...'

for profaneWord in profaneWords:
  pplf.writelines([p + '\n' for p in permute(profaneWord)])

pplf.close()

print 'Done.'

This gave me a very large list of passwords to try, and said it would take several hours to go through all of them. I decided to try sort and uniq to see if there were any duplicates and to remove them. This took the list down signifigantly, to where it would only take around 6 minutes to go through.

The last thing we have to do is append 1972 onto the end of all of our animal names. I wasn't sure if it would be 1972 or just 72, but now that I have a smaller list, I could at least try both if the first one didn't work. I made a rule.lst file with $1$9$7$2 inside to add the dates for me. We need to specify --username at the command line to tell hashcat to ignore the username field in the hash.

kali@kali:~/Downloads$ hashcat -a 0 -m 9600 --username hash.txt smalllist.txt -r rule.lst

After about two minutes we come up with d0lph1n1972 as the password and are able to open the document to get our flag.

MetaCTF was a lot of fun, and probably the best CTF I have participated in to date. The challenges were just hard enough to keep me engaged, while not so hard that I became overwhelmed or gave up. I look forward to participating in more of their challenges in the future.