Past Demons


We’ve had a hard time finding anything on spookyboi. But finally, with some search engine finessing, an analyst found an old, vulnerable server spookyboi used to run. We extracted a database, now we need your help finding the password.

Submit the password as the flag: flag{password}.


The provided Zip archive contained a SQLite database file named “out.db”

$ file out.db 
out.db: SQLite 3.x database, last written using SQLite version 3032003

I opened the database with sqlite3 and checked the schema to get an idea of the database structure.

$ sqlite3 out.db 

sqlite> .schema
uid integer primary key autoincrement,
username text not null unique,
email text
CREATE TABLE sqlite_sequence(name,seq);
pid integer primary key autoincrement,
passwd text not null,
uid integer,
foreign key (uid) references users (uid));

There is a users and passwd that are linked via the uid field, foreign key (uid) references users (uid), so I issue a query to join the two tables and search for spookyboi.

sqlite> SELECT username,passwd FROM users INNER JOIN passwd ON users.uid == passwd.uid WHERE users.username == "spookyboi";


The password appears to be hashed (and wasn’t accepted as the challenge flag) but my password cracking rig made short work of it:

The 128 bit-length leaves ambiguity around which type of hash this was since there are a number of hashing functions that produce 128-bit hashes. My first assumption was MD5 as it is one of the most commonly used hashing functions and one I’d expect to see stored in a SQLite database. A quick attempt with a large wordlist didn’t produce a password so I tried again treated the hash as NTLM, the next most popular 128-bit hashing function.

$ hashcat.bin -O -w4 -m1000 59DEA36D05AACAA547DE42E9956678E7 -a0 /data/wrdlists/weakpass_2

After about ten seconds Hashcat produced the cracked password 59dea36d05aacaa547de42e9956678e7:zxcvbnm

The completed flag is, flag{zxcvbnm}.



Leave a comment