complex password alternation

I am trying to recover a lost rar PW. I have never used hashcat before and I dont know if I will be able to do what I am intending to do.
- The password is quite long, about 25 characters. I do know the first part, about 20 characters
- the PW is lowercase, except a maximum of 2 characters
- a maximum of 2 characters may be l33t (only: a-@ e-3 i-1 o-0 s-5 g-6)
- the password may be followed by a max 5 digit number
- the whole thing may be followed by a special character (!$&@)

if I can get hashcat to consider these limitation and do a recovery with about 5000pw/s, it should take less than a week.
Can anyone help me with this?
which type of rar archives we are talking about here?

hashcat supports these 2 hash types for rar archives:
-m 12500 = RAR3-hp
-m 13000 = RAR5

(the non-hp version of rar3, i.e. the one without header protection/encryption, is not currently supported)

I think you could deal with this missing 5 characters with different attack modes and you need to see which is the fastest for you.

In general, if you have a static/constant prefix you should actually use some salted alternatives of the algorithm (e.g. for md5 ($salt . $pass) you do not use md5 ($pass) , but the salted alternative). Unfortunately rar3 has no salted alternatives.

Therefore, we need to stick with the other attack types that make sense here:
-a 6 (hybrid attack, a mask at the right hand site)
-a 1 (combinator attack, 2 dicts), the static part (20 chars) is in the first dict
-a 0 (with rules)

in theory, you could also use rules to prefix the password candidates with a static string and append the missing characters, but note that the number of rule functions is limited to 31 (see, so we are already close to the limit if you intend to use 20 rules for prefixing a static string.

In this case you could "generate" a dictionary with the lowercase and uppercase letters (max 2 uppercase) including the l33t words. e.g. something like this

hashcat --stdout -a 3 -o base_dict.txt a.hcmask

where the a.hcmask can be generated by e.g. policygen from PACK and should be something like this:

the digits and specials can be added with rules, e.g. $! to add a question mark.... but adding all combinations of 5 digits with rules is already quite a large set of rules (I would say too huge)... in theory you could add the digits to the base dict too, but that would imply that the dict on disk will get quite large.

As said, alternatively you could combine 2 dicts (with -a 1) which should be quite self-explaining, but the dicts of course need to be pre-generated and stored on disk .... or you could use -a 6 and use a mask file (hcmask) at the right site.

There is a final approach that you could use, but it's probably the slowest, i.e. using stdin/pipes. I would say that this attack shouldn't be used here, because it will slow the speed down by a lot, because you do not have a very filtered/restricted/special set of password candidates, the idea would be like this:
./ | hashcat -m 12500 -a 0 -w 3 hash.txt

Note: multiple rules are only supported with -a 0 = straigth/dictionary attacks.