Tutorial for CMIYC2024: Registering a Team and Cracking Test Hashes

Whenever a thing is done for the first time, it releases a little demon.

- Emily Dickinson

Getting Ready For Crack Me If You Can 2024

August is like New Years for me. With BSides Vegas, Defcon, and all the other hacker conferences, I find myself taking stock of the previous year, realizing all the plans I did not accomplish, and find myself setting goals for next year. One of the things I am happy about though is that I now have a password cracking framework to help me compete in this year's Crack Me If You Can competition. Like the last couple of years I plan on competing by myself on team "Reusablesec" since I think it's important to try (and probably fail) vs. just talk about password security.

I'd also like it if more other players also competed and learned from this contest. The problem is, it can be intimidating to compete in these contests, and the barrier of entry can be high. I mean, you need to figure out how to use PGP, which isn't easy! Therefore this blog entry is focused on getting you started in the competition, your team registered, and will walk you through how to crack the test hashes and how to submit them.

Note: While the test hashes will be "spoiled" in this blog entry, I WILL NOT be posting any actual contest solutions until after the competition is over.

Resources:

Official Contest Resources:

Korelogic Contest Website: [Link]
Korelogic Registration Info: [Link]
Korelogic Hash Downloads: [Link]
Korelogic Scoreboard: [Link]

Password Cracking Framework Resources:

Github Site for Code: [Link]
Previous CMIYC Tutorial (Part 1): [Link]
Previous CMIYC Tutorial (Part 2): [Link]
Previous CMIYC Tutorial (Part 3): [Link]
Previous CMIYC Tutorial (Part 4): [Link]

Using The Framework:

The rest of this tutorial is really going to focus on using the Password Cracking Framework to help automate some of the tasks in the CMIYC contest. All the Pro teams have their own frameworks, so I developed this framework to be something anyone could use. The framework is written as a Python backend for a JupyterLab Notebook. Why JupyerLabs? Well I never want to write a GUI so JupyterLabs takes care of much of the frontend for me. Also, I've found the interactive shell into my Python backend to be very helpful when playing around with data.

You can download and install the framework from the link above. The real source of truth will be the CMIYC_2024_Examples.ipynb Notebook vs. this blog entry, as I will probably be making changes and updates to throughout the contest. While I won't be posting any contest hashes, I will likely update it to handle file formats that Korelogic throws at the street teams. When you are using this Notebook, I'd recommend using the example one as a tutorial, but then creating your own Notebook to manage your cracking sessions. That way you can arrange it the way that works best for you, and if I make changes to to the tutorial/example during the contest you don't have to worry about git merge conflicts.

For the rest of this blog entry I'm largely going to be referencing the Notebook, so I'd recommend taking the time to download and install it before continuting.

Registering a Team:

Korelogic requires teams to perform all communications using PGP. For me, GNU stands for "Going to Never Use it" since the tutorials and MAN pages are often horrible. So first order of business was to automate PGP key generation, encryption, and decryption using the Python library PGPy [Link].

If you want to use a different PGP program to create a team, absolutely go ahead and do that! But in the Password Cracking Framework I created a Python class called PGPMgr that you can call through the Jupyter Notebook instead.

The first function is generate_read_pgp_private_key. This will create a new PGP key (if one does not already exit) and write it to the key_file name that you send to it. If a PGP key already exists it'll validate the key and then return it. This way you aren't creating a new key every time this is run. Feel free to skip using this function if you already have a PGP key you want to use, but even the conference organizers recommend using a contest specific PGP key to make it easier to partner with other players. Here is the output of running it in the Notebook:

My apologies that it's a screenshot vs. text, but that's why it's probably easier to use this in the framework.

To encrypt/decrypt messages I then created the PGP_Mgr class in the Framework. I figured a class would be better than having individual functions since I didn't want to have to keep passing in my private key as well as KoreLogic's public key.

While I could try to integrate this with individual e-mail services, that seems like a lot of work so PGP_Mgr will output encrypted messages to this workbook as well as save the messages to a file. It's up to you then to actually copy/paste (or attach) that message into an e-mail and send it to KoreLogic at [email protected]

Hopefully you are getting an idea about what this framework is now! I could keep copying and pasting screenshots from it, but I really recommend you just check it out instead! Even if all you use this for is just to register a team and not to crack any actual passwords, I hope this helps you out.

Cracking the Test Hashes:

For the test hashes, there are two different challenge files:

test_1_passwd.hash

Contains 5 different hashes

1 raw-md4
1 nsldaps
2 md5crypt
1 bcrypt which is worth ALL THE POINTS

test_1.zip

An encrypted zip file containing a note

Lesson 1: It looks like we will need to crack encrypted files again this year to unlock additional hashes and get tips on how to crack the tougher hashes. If you want to crack encrypted files used in past CMIYC contests, I strongly recommend this blog post: [Link]

As far as cracking those hashes, you'll want to specify the correct format when running John the Ripper and Hashcat. Rather than look that up in the help files, I made a function to display what format name/number to use is in the Framework:

The framework unfortunately doesn't crack any passwords for you. You'll need to do that yourself. Luckily if you run default attacks against the raw-md5 hash and the nsldaps hash using John the Ripper you should be able to crack them. The plaintext is:

Raw-MD5: 3-2-1

NSLDAPS: Contact

If you are a child of the late 70s and 80s you might remember that as a great PBS show teaching kids science (think of it as a nerdier Sesame Street). That seems like it might be useful information when creating a custom wordlist to target the other hashes which don't fall to "standard" password cracking attacks such as using the RockYou wordlist. For example, here is a link to the show's lyrics: [Link].

Using a wordlist created from that, I did manage to crack the zip password.

PKZip: When everything happens

Unzipping the file, we can see the following message:

-----------------------------------------------------------------------------------

Do not submit the zip passphrase, it is not worth anything.

user5's password is the sentence spoken by the synthesized voice

introducing itself in episode 101.

-----------------------------------------------------------------------------------

Lesson 2: There will probably be a "Google/Bing" section of the contest where you will need to create solve puzzles and create customized wordlists

So I wonder if we can use ChatGPT to solve this problem?

Uggg! Well I guess I don't have to worry about AI taking my job for another year. On the plus side, if this year KoreLogic makes me watch PBS science shows all weekend I really can't complaint too much. To watch the Episode 101 of 3-2-1 Contact yourself you can view it at the following [Link]. I forgot how much this show rocks!

As far as actually cracking the passphrase for the BCrypt hash, well you'll either need to solve this yourself or download and follow along in the Framework. I want to give credit to Ivan from team John_Users for actually solving this challenge I'll admit I got hung up on certain passphrase related issues while Ivan was able to power though it really quickly. While I won't be competing with team John_Users this year, I really want to wish them the best of luck and they are the Pro team I'll be rooting for!