DEADFACE2021 Logo

Author(s):

  • syyntax

Category:

  • Exploitation

Points:

  • 50

File(s):

  • demonne.zip

Hint(s):

  • None

Password Insecurities

Challenge:

It looks like DEADFACE is going after the password of one of De Monne's customers: Haily Poutress. She has since changed her password, but De Monne is looking for ways to improve password requirements. De Monne would like you to crack the password from the database leak to determine if Haily's password was secure enough. Submit the flag as flag{password}.

Use the MySQL database dump from Body Count.

Download MySQL database dump
SHA1: 5867eeb1466b31eb8d361061fddd99700fc5d739

Password: d34df4c3

Solution:

We re-reviewed the available tables in the database we created during the Body Count challenge:

mysql> SHOW tables;
  Tables_in_demonne
  credit_cards
  cust_passwd
  customers
  employee_passwd
  employees
  loan_types
  loans
  test

The customers and cust_passwd tables look interesting for this challenge so we review the table structures:

mysql> SHOW COLUMNS in customers;
  Field	Type	Null	Key	Default	Extra
  cust_id	smallint	NO	PRI	NULL	auto_increment
  last_name	tinytext	NO		NULL	
  first_name	tinytext	NO		NULL	
  email	tinytext	NO		NULL	
  street	tinytext	NO		NULL	
  city	tinytext	NO		NULL	
  state	tinytext	NO		NULL	
  country	tinytext	NO		NULL	
  postal	tinytext	NO		NULL	
  gender	tinytext	NO		NULL	
  dob	tinytext	NO		NULL	

mysql> SHOW COLUMNS in cust_passwd;
  Field	Type	Null	Key	Default	Extra
  cust_pass_id	smallint	NO	PRI	NULL	auto_increment
  cust_id	smallint	NO	MUL	NULL	
  passwd	tinytext	NO		NULL

We'll need the cust_id for Haily in order to query her password from the cust_passwd table so we search for rows with a last_name of Poutress. The first row returned is for Haily:

select * from customers where last_name like 'Poutress'\G
*************************** 1. row ***************************
   cust_id: 7117
 last_name: Poutress
first_name: Haily
     email: hpoutress5ho@booking.com
    street: 15212 Westport Hill
      city: Ocala
     state: FL
   country: US
    postal: 34479
    gender: M
       dob: 03/12/1995

We then grab her password from the cust_passwd table:

select * from cust_passwd where cust_id = 7117\G
*************************** 1. row ***************************
cust_pass_id: 7117
     cust_id: 7117
      passwd: $1$FigUPHDJ$IYWZKYxoKDdLyODRM.kQq.
1 row in set (0.000 sec)

Before throwing the power switch on the Hashcat/GPU rig we ran a simple cycle with John the Ripper and the default wordlist and surprisingly had quick success:

$ ~/Tools/jtr/run/john db_pass.txt 

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
...
Proceeding with wordlist:/home/pingtrip/Tools/jtr/run/password.lst

trustno1         (?)     

1g 0:00:00:00 DONE 2/3 (2021-10-15 12:39) 100.0g/s 38400p/s 38400c/s 38400C/s 123456..larry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

The accepted flag was, flag{trustno1}

Published:

Updated:

Leave a comment