This was a fun one – I was the only person to solve this during the CTF yesterday. Here’s how I did it:
- ● crackme?
● 300 Points
● By: Dillon Korman
A teammate from DC416 made a run at this with some fairly comprehensive custom Overwatch-themed wordlists with no luck. I first tried the usual easy tricks: googling the hash, Gromweb, and an exhaustive search of all printable ASCII up to 7 chars (since it only takes ~30 seconds). No luck.
My next step was to grab a list of all of the playable Overwatch characters from here. Since a couple of the characters (Lúcio, Torbjörn) have non-latin characters, I also added latinized versions (Lucio, Torbjorn) to the list. I added alternate versions of a few other characters’ names to account for different stylings and capitalizations (Soldier: 76, D.Va, McCree), and then duplicated the entire list as lowercase via
tr '[:upper:]' '[:lower:]' < owchars.txt | uniq >> owchars.txt
This gave me this list.
Running that through hashcat gave me no hits, both on its own and using best64.rule (which permuted 59 candidates into 4543).
With that exhausted, I looked at the Twitter hint – it seemed pretty apparent that we’re intended to try adding some variation of ‘main’ to a character name. In the interest of being thorough, I wrote a quick python script to append variants of ‘main’ to each character name variant, using multiple different joining characters. That resulted in this 1593-line list.
Running that list through hashcat with best64.rule (122661 total candidates) gave no hits. I looked at the challenge again to make sure I was on the right track, and noticed “and thinks he’s some cool hacker” for the first time. That seems straightforward – do some leetspeak character substitution (l1k3 th!5). Luckily hashcat includes a very thorough leetspeak rule (1593 lines became 4892103 candidates), and passing owmains.txt through it gave us a successful crack.
[tyler@tower hashcat-3.5.0]$ ./hashcat64.exe -m 0 -a 0 -r rules/unix-ninja-leetspeak.rule 55370b6cd985e7132c4e789224066bde owmains.txt hashcat (v3.5.0) starting... OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 960, 1024/4096 MB allocatable, 8MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 3071 55370b6cd985e7132c4e789224066bde:r31nh@rdtm@1n Session..........: hashcat Status...........: Cracked Hash.Type........: MD5 Hash.Target......: 55370b6cd985e7132c4e789224066bde Time.Started.....: Sat Apr 29 15:13:08 2017 (0 secs) Time.Estimated...: Sat Apr 29 15:13:08 2017 (0 secs) Guess.Base.......: File (owmains.txt) Guess.Mod........: Rules (rules/unix-ninja-leetspeak.rule) Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 160.9 MH/s (0.27ms) Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 3297510/4892103 (67.40%) Rejected.........: 0/3297510 (0.00%) Restore.Point....: 0/1593 (0.00%) Candidates.#1....: Genjimain -> z3ny@tt@~MAIN HWMon.Dev.#1.....: Temp: 50c Fan: 0% Util: 99% Core:1404MHz Mem:3004MHz Bus:8
2 thoughts on “UIUCTF 2017: crackme?”
2017-04-30 — 18:52
Really nice solve, this. Good job.
2017-05-01 — 15:40
Good job! I didn’t realize that Twitter link provided that hint. I was wondering why they linked to it lol.