Description: A company stored a secret message on a server which got breached due to the admin using weakly hashed passwords. Can you gain access to the secret stored within the server? Additional details will be available after launching your challenge instance.
Difficulty: Easy
Author: Nana Ama Atombo-Sackey
Summary
This challenge presents a remote service that gives you three hashes sequentially and asks you to provide their plaintexts. The server hints that weak passwords were used, so common password lookup or a dictionary attack is the right approach.
During the solve I interacted with the service and tested common passwords; all three hashes were weak and cracked quickly. The final step revealed the flag.
Tools
nc(netcat), to talk to the remote servicehashid/hash-identifier, to identify hash typeshashcatorjohn, for offline cracking using wordlistsrockyou.txt, common password list- Online hash lookup services like
CrackStation, useful for common passwords and precomputed hash databases.
Analysis
I connected to the remote service:
nc domain portThen we get the following message:
Welcome!! Looking For the Secret?
We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38Enter the password for identified hash:The hash provided is: 482c811da5d5b4bc6d497ffa98491e38
A hash is a fixed-length string of characters produced by a hash function, representing input data uniquely. Common hashing algorithms include MD5, SHA-1, and SHA-256.
- MD5 produces a 32-character hexadecimal digest.
- SHA-1 produces a 40-character hexadecimal digest.
- SHA-256 produces a 64-character hexadecimal digest.
Since our hash is 32 characters long, it is very likely an MD5 hash. Hash
Using online tools like :
- https://hashes.com/en/tools/hash_identifier
- https://www.tunnelsup.com/hash-analyzer/
- https://www.dcode.fr/hash-identifier
We also have offline tool like hash-identifier
Because the provided hash is 32 hexadecimal characters long (128 bits), this strongly indicates an MD5 digest. To confirm the hash type I used several online identifier tools, Hashes.com, TunnelsUp, and dCode, and the offline hash-identifier utility included with Kali Linux.
Hashing is a one-way process, once data is hashed, it cannot be reversed. While older algorithms like MD5 and SHA-1 have been broken, newer ones remain strong for now. Still, with the rapid growth of quantum computing and AI, even current standards may eventually be at risk.
Because hashing is one-way, you can’t directly “reverse” a digest. In practice, recovery relies on searching for a matching input: either by computing hashes for candidate plaintexts (dictionary or brute-force attacks) or by using precomputed lookup tables/rainbow tables. When a candidate’s computed hash equals the target digest, that candidate is the likely original plaintext.
Stage 1: MD5
The target digest is an MD5 hash. I used an online lookup service (CrackStation) to search their database of known plaintext–hash pairs.
CrackStation matched the hash and returned the original password: password123.
You can crack this kind of hash with tools like hashcat or john using a large wordlist (e.g., rockyou.txt)
After submitting password123 to the service, the server responded:
Welcome!! Looking For the Secret?
We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38Enter the password for identified hash: password123Correct! You've cracked the MD5 hash with no secret found!
Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3Enter the password for the identified hash:Stage 2: SHA-1
I fed the new hash (b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3) to the same identification tools. Hashes.com and other identifiers indicated this is likely SHA-1 (40 hex characters).
Using CrackStation, the hash resolved to letmein.
Stage 3: SHA-256
Submitting letmein to the service produced:
We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38Enter the password for identified hash: password123Correct! You've cracked the MD5 hash with no secret found!
Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3Enter the password for the identified hash: letmeinCorrect! You've cracked the SHA-1 hash with no secret found!
Almost there!! Crack this hash: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745Enter the password for the identified hash:The next hash (916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745) is 64 hex characters long, so I treated it as SHA-256
Again using CrackStation (and wordlist-based cracking tools if needed), it resolved to qwerty098.
⚡ Raikiri🎉 Flag pwned! The final hash was cracked, and the flag is now obtained. All stages successfully cleared.
💡 TL;DR / Lesson LearnedWeak passwords = easy cracks. All hashes in this challenge were broken using public databases. Always use strong, unique passwords, don’t give attackers a free pass!