Database Crack

Challenge:

We did it! We managed to get a copy of a password database from deephax. Can you crack the password to get into the database and see what things lie within?

Submit the flag as flag{flag text}.

Solution:

We identified the file provided in the challenge as a Keepass password manager database:

$ file mySecret.kdbx 
mySecret.kdbx: Keepass password database 2.x KDBX

John the Ripper has a keepass2john utility for extracting the password hash from a Keepass database, which we leveraged to write the hash to a file for cracking:

$ ~/Tools/jtr/keepass2john mySecret.kdbx | cut -d: -f2 | tee database_crack.hash 
$keepass$*2*60000*0*b8bb35396aa2cc7b81c8d1e68ef3baf23d20f781406946c280230d100173e739*63e6afc61de486d9855f0696918acfb2b6f59593d98f1fb23c6b41bb045ec0b4*e8c1e5981c84aa4f52be41271efaba41*3c567f9f005c33c0342e943ed1e37d343fa7215b103a6bfd9278ac4c265de41e*5f4030232f25e16e767fb31fbf7b69458f274f651659719dfa99fa1fe66715f5

Surprisingly, in our first cracking attempt we found that the password wasn't in the RockYou file:

$ hashcat -m 13400 -a 0 -w 4 database_crack.hash /data/wrdlists/rockyou.txt
 ...
Status...........: Exhausted

We could have run a new cracking session using the WeakPass2 list but Hashcat was estimating it would take ~20 hours on our cracking rig, which didn't seem appropriate for this CTF. Luckily, while browsing the various GhostTown threads to document clues, we spotted a wordlist posted by mirveal in the thread titled "More Bitcoin$$$$$".

Hashcat made short work of wordlist and produced the password in under 6 seconds:

Status...........: Cracked
complexpassword

We could then use the cracked password to unlock the Keepass database and retrieve the flag:

```

The accepted flag was: flag{breaking_the_law}