HITCON 2014 CTF WriteUp: G8LA; Forensics 150 (Cloud Hash Cracking with JohnTheRipper)
This post kills two birds with one stone, it shows how to add gpu based JohnTheRipper support to the EC2 cracker we built last post, as well as giving a practical example of password cracking using a recent CTF challenge. Let's dive right into the challenge!
The challenge requires recovering the password of user FLAG, and submitting it in the format "HITCON{md5($password).lower}. We are given a pcap, which contains some interesting traffic, most notably what looks like an nmap oracle-brute-stealth scan, which teases out session keys and salts for users. The Oracle O5Logon protocol also contains the vulnerability that allows for the password to be cracked offline by bruteforcing the session key. Our job is to extract FLAG's session key and salt, and then crack the password.
We open the pcap in Wireshark and filter for "frame contains FLAG" and hit enter. There is only a single packet containing this information, so we right click that and click 'Follow TCP Stream', and then in this steam we search for the text "FLAG" again. The information we want is below:
To crack the password, we look to the John 1.8.0 Jumbo-1 patch, which has both O5Logon support and cuda GPU support! Pull the repo down with git, and then set it up with a quick:
We just need to make sure our session key and salt are in the right format:
Then we start cracking:
A little bit later, and wala, we get our password:
This password turns into the flag format:
Unfortunately this flag wasn't accepted by the score board, so I just hopped on #hitcon-ctf on freenode.net via IRC, and sent a message to the admin @_orange, who confirmed the password and gave me the winning flag format:
Happy cracking friends, enjoy that gpu John support.
The challenge requires recovering the password of user FLAG, and submitting it in the format "HITCON{md5($password).lower}. We are given a pcap, which contains some interesting traffic, most notably what looks like an nmap oracle-brute-stealth scan, which teases out session keys and salts for users. The Oracle O5Logon protocol also contains the vulnerability that allows for the password to be cracked offline by bruteforcing the session key. Our job is to extract FLAG's session key and salt, and then crack the password.
We open the pcap in Wireshark and filter for "frame contains FLAG" and hit enter. There is only a single packet containing this information, so we right click that and click 'Follow TCP Stream', and then in this steam we search for the text "FLAG" again. The information we want is below:
To crack the password, we look to the John 1.8.0 Jumbo-1 patch, which has both O5Logon support and cuda GPU support! Pull the repo down with git, and then set it up with a quick:
./configure && make -s We just need to make sure our session key and salt are in the right format:
FLAG:$o5logon$A10D52C1A432B61834F4B0D9592F55BD0DA2B440AEEE1858515A646683240D24A61F0C9366C63E93D629292B7891F44A*878C0B92D61A594F2680 Then we start cracking:
./john --format=o5logon ~/hashes/o5logon.txtA little bit later, and wala, we get our password:
m3o3rt (FLAG)This password turns into the flag format:
HITCON{3b7882d40eb8640b58c1af70707b40a4}Unfortunately this flag wasn't accepted by the score board, so I just hopped on #hitcon-ctf on freenode.net via IRC, and sent a message to the admin @_orange, who confirmed the password and gave me the winning flag format:
HITCON{50919e2b7f4cc82235ccf948d36c2dfd}Happy cracking friends, enjoy that gpu John support.
