You Shall Not Pass

Challenge:

DEADFACE has been targeting De Monne employees based on the recent De Monne financial database leak. De Monne has already changed their employees' passwords, but they would like you to try to crack the victim's password to see how secure it is and what they can do to train their employees to use proper cyber security hygiene. Submit the flag as flag{password}.

Ghost Town thread

Solution:

The post on Ghost Town consisted of two users sharing "random facts" about themselves:

First we need to identify if either Ghost Town user is an employee at De Monne. Similar to the Password Insecurities challenge we will use the employees and employee_passwd tables to extract the password.

mysql> SELECT * FROM employees WHERE last_name IN('Welle', 'Lawless')\G
*************************** 1. row ***************************
  employee_id: 2545
    last_name: Lawless
   first_name: Merrilee
        email: mlawless1yo@demonnefinancial.com
       street: 428 Paget Court
         city: Washington
        state: DC
      country: US
       postal: 20067
       gender: F
employee_code: 5751931491

We find Merrilee Lawless is an employee (employee_id 2545) and query for her password hash:

> SELECT * FROM employee_passwd WHERE employee_id = 2545;
employee_pass_id	employee_id	passwd
2545	2545	$1$qcRBMlEm$PQKbbpIFCSSMCTVvvsfve0

We then created a small word list based on the personal details Merrilee posted:

Goddard St
Friends
Purple
Albany
Cashier
Sprinkles
Steelers
Aspen
Crochet
1973

Finally, to crack the hash we used PrinceProcessor to generate plaintext candidates from the wordlist and passed them to Hashcat in combination with the 'OneRuleToRuleThemAll' ruleset:

$ shuf dead_wrd.list| ../tools/princeprocessor-0.22/pp64.bin | ~/hashcat-6.1.1/hashcat.bin -w4 -O -m500 dead_mysql.txt -a0 -r ../tools/OneRuleToRuleThemAll.rule

Sprinkles1973!

The accepted flag was, flag{Sprinkles1973!}.