PHDays Hashrunner challenge 2015 - Writeup
#1
As you may know, we won the contest.

Here is the writeup:

https://hashcat.net/events/hashrunner201...d_2015.pdf

Cheers!
dropdead
sch0.org
#2
great write up!

question regarding scrypt. how did you guys get JTR to work since it is not natively supported?

also, did you guys happen to notice LM hash had a bunch of plains that appeared to look like encoded PHP? for example:

\U77F3\U67F1\U
\U6CE2\U6FE4\U
\U8B66\U5099\U
\U63D0\U723E\U
\U7600\U9752\U

or perhaps it was a dead end
#3
JTR does have scrypt support...
https://github.com/magnumripper/JohnTheR...h?q=scrypt
#4
thx, epixoip!
#5
(05-21-2015, 03:40 AM)forumhero Wrote: LM hash had a bunch of plains that appeared to look like encoded PHP? for example:

\U77F3\U67F1\U

> Encoded PHP
kek
#6
(05-21-2015, 06:05 AM)epixoip Wrote: JTR does have scrypt support...
https://github.com/magnumripper/JohnTheR...h?q=scrypt
I got the precompiled binaries from 1.8.0 jumbo1 (win64) and could not get it to work (can't load hashes). Do you have to change the hash format? What --format value do you use in the command line, scrypt?

Edit: I tried also the bleeding jumbo version 1.8.0.2 and had the same problem.
#7
If you look at the plugin you will see the format it expects:

https://github.com/magnumripper/JohnTheR...t.c#L54-78

You can also look at prepare() in the same file as well.
#8
(05-21-2015, 10:45 PM)epixoip Wrote: If you look at the plugin you will see the format it expects:

https://github.com/magnumripper/JohnTheR...t.c#L54-78

You can also look at prepare() in the same file as well.
Thanks for the help. I don't get it. I am in the bleeding jumbo version, I put one the hash that they provide in the link you gave me:
Code:
$ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0A=
I use the following command line:
Code:
john.exe --format=scrypt --wordlist=dic4.txt hash.txt
JTR does not load the hash.
#9
I had a similar issue. If you downloaded the Window pre-compiled binary then you are unlikely to be using the latest bleeding jumbo. Try this command below and check the results:

Code:
john --list=format-tests --format=scrypt

If the result from the last line looks similar to the output below then it is not the latest bleeding jumbo.

Code:
scrypt  10    SCRYPT:16384:8:1:VHRuaXZOZ05INWJs:JjrOzA8pdPhLvLh8sY64fLLaAjFUwY
CXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==      password
#10
Congrats Team Hashcat, you really showed us all how it's meant to be done.

Our team write-up is also up

We had lots of fun!

http://cynosureprime.blogspot.com/