MySQL Authentication challenge cracking

[NiwdEE]

Hello, i'm working on a CTF and had to do a MITM to intercept packets between a client and a database to steal data. I never used hashcat in an advanced way so I'm pretty lost here

The last step to get the flag is to find the password of the root user, all I have are the authentication packets containing the challenge hash and salt.

FYI the SQL server sends a 20 bytes "salt" to the client who calculates the challenge hash and sends it to the server this way:
$hash = sha1($pass) ^ sha1($salt.sha1(sha1($pass)))
("^" being the XOR operator)

I have no clue about how to use hascat in this case, is it even possible ?

My second little question is that, since the salt is pure random bytes most of it is just non printable characters, how do I input it ?

[DanielG]

Since it is a CTF I think they want you to code or script something for it. Afaik this is not possible with public tools such as hashcat.

[NiwdEE]

Since it is a CTF I think they want you to code or script something for it. Afaik this is not possible with public tools such as hashcat.

Thanks, that's what I tought. I flagged it using a python script but isn't it weird that it's not included as a hashing mode in public tools ? It's not that niche, it's the default authentication mode in MySQL Servers and hashcat seems to supports a lot of obscure hashing methods

[DanielG]

Ah my bad, I did not notice mode 11200 MySQL CRAM (SHA1) in the documentation. That does seem to be the one you want.

[NiwdEE]

Well, I didn't know what CRAM meant so I didn't notice it either. I just tried it and i works x)

At least I can say that I learned something, thank god it was a CTF-like challenge without time limit and not a real CTF, otherwise I would have been sad.

Thank you for your help