We’ve had a hard time finding anything on spookyboi. But finally, with some search engine finessing, an analyst found an old, vulnerable server spookyboi used to run. We extracted a database, now we need your help finding the password.
Submit the password as the flag:
The provided Zip archive contained a SQLite database file named “out.db”
$ file out.db out.db: SQLite 3.x database, last written using SQLite version 3032003
I opened the database with
sqlite3 and checked the schema to get an idea of the database structure.
$ sqlite3 out.db sqlite> .schema CREATE TABLE users ( uid integer primary key autoincrement, username text not null unique, email text ); CREATE TABLE sqlite_sequence(name,seq); CREATE TABLE passwd ( pid integer primary key autoincrement, passwd text not null, uid integer, foreign key (uid) references users (uid));
There is a users and passwd that are linked via the uid field,
foreign key (uid) references users (uid), so I issue a query to join the two tables and search for spookyboi.
sqlite> SELECT username,passwd FROM users INNER JOIN passwd ON users.uid == passwd.uid WHERE users.username == "spookyboi"; spookyboi|59DEA36D05AACAA547DE42E9956678E7
The password appears to be hashed (and wasn’t accepted as the challenge flag) but my password cracking rig made short work of it:
The 128 bit-length leaves ambiguity around which type of hash this was since there are a number of hashing functions that produce 128-bit hashes. My first assumption was MD5 as it is one of the most commonly used hashing functions and one I’d expect to see stored in a SQLite database. A quick attempt with a large wordlist didn’t produce a password so I tried again treated the hash as NTLM, the next most popular 128-bit hashing function.
$ hashcat.bin -O -w4 -m1000 59DEA36D05AACAA547DE42E9956678E7 -a0 /data/wrdlists/weakpass_2
After about ten seconds Hashcat produced the cracked password
The completed flag is,