Crack The Hash Level 2 Tryhackme Writeup

12 min readMay 3, 2021

By Shamsher khan This is a Writeup of Tryhackme room “Crack The Hash Level 2”

https://tryhackme.com/room/crackthehashlevel2

Room link: https://tryhackme.com/room/malstrings
Note: This room is free

Task 1: Introduction

Password cracking is part of the penetration tester job but is rarely taught on challenges platforms. In this room you will learn to how to crack hashes, identify hash types, create custom wordlists, find specific wordlists, create mutations rules, etc.

This room is a spiritual successor to Crack the Hash.

I recommend you to have done the room Crack the hash before attempting this one, which is harder and will use more advanced techniques.

However this room include a course about hash cracking before you have to face the cracking challenges, it may be a good idea to read the course part before doing Crack the hash if you are a new comer.

Task 2: Hash identification

Often the first thing you will need when you encounter a hash, is trying to identify which kind of hash it is.
There are a lot of hash types, some are very famous like MD5 or SHA1 but other are less and there are several hash types possible for a given character set and length.

Haiti is a CLI tool to identify the hash type of a given hash. Install it.

gem install haiti-hash

Launch Haiti on this hash:

741ebf5166b9ece4cca88a3868c44871e8370707cf19af3ceaa4a6fba006f224ae03f39153492853

Question 1. What kind of hash it is?

Answer: RIPEMD-320

Launch Haiti on this hash:

1aec7a56aa08b25b596057e1ccbcb6d768b770eaa0f355ccbd56aee5040e02ee

Question 2. What is Keccak-256 Hashcat code?

Answer: 17800

Question 3. What is Keccak-256 John the Ripper code?

Answer: raw-keccak-256

Task 3: Wordlists

For hash cracking you will often need some custom or specialized dictionaries called wordlists.

SecLists is a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

wordlistctl is a script to fetch, install, update and search wordlist archives from websites offering wordlists with more than 6300 wordlists available.

Rawsec’s CyberSecurity Inventory is an inventory of tools and resources about CyberSecurity. The Cracking category will be especially useful to find wordlist generator tools.

Note: On the exercise below we will see how to use how to use wordlistctl to download a list, for the example I took rockyou which is a famous wordlist but if you use TryHackMe AttackBox or Kali Linux you should already have it under /usr/share/wordlists/, so you don't need to download it again, this is just an example to show you how wordlistctl works.

RockYou is a famous wordlist contains a large set of commonly used password sorted by frequency.

To search for this wordlist with wordlistclt run:

wordlistctl search rockyou

Question 1. Which option do you need to add to the previous command to search into local archives instead of remote ones?

Answer: -l

Download and install rockyou wordlist by running this command: wordlistctl fetch -l rockyou

Now search again for rockyou on your local archive with wordlistctl search -l rockyou

You should see that the wordlist is deployed at /usr/share/wordlists/passwords/rockyou.txt.tar.gz

But the wordlist is compressed in a tar.gz archive, to decompress it run wordlistctl fetch -l rockyou -d.

If you run wordlistctl search -l rockyou one more time, what is the path where is stored the wordlist?

Answer: /usr/share/wordlists/passwords/rockyou.txt

You can search for a wordlist about a specific subject (eg. facebook) wordlistctl search facebook or list all wordlists from a category (eg. fuzzing) wordlistctl list -g fuzzing.

Question 2. What is the name of the first wordlist in the usernames category?

Answer: CommonAdminBase64

Task 4: Cracking tools, modes & rules

Finally you’ll need a cracking tool, the 2 very common ones are:

Hashcat
John the Ripper (jumbo version)

There are several modes of cracking you can use:

Wordlist mode, which consist in trying all words contained in a dictionary. For example, a list of common passwords, a list of usernames, etc.
Incremental mode, which consist in trying all possible character combinations as passwords. This is powerful but much more longer especially if the password is long.
Rule mode, which consist in using the wordlist mode by adding it some pattern or mangle the string. For example adding the current year, or appending a common special character.

There are 2 ways of performing a rule based bruteforce:

Generating a custom wordlist and using the classic wordlist mode with it.
Using a common wordlist and tell the cracking tool to apply some custom mangling rules on it.

The second option is much more powerful as you wont waste gigabytes by storing tons of wordlists and waste time generating ones you will use only one time. Rather having a few interesting lists and apply various mangling rules that yo ucan re-use over different wordlist.

John the Ripper already include various mangling rules but you can create your owns and apply them the wordlist when cracking:

$ john hash.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt rules=norajCommon02

You can consult John the Ripper Wordlist rules syntax for creating your own rules.
I’ll give you the main ideas of mutation rules, of course several can be combined together

Border mutation — commonly used combinations of digits and special symbols can be added at the end or at the beginning, or both
Freak mutation — letters are replaced with similarly looking special symbols
Case mutation — the program checks all variations of uppercase/lowercase letters for any character
Order mutation — character order is reversed
Repetition mutation — the same group of characters are repeated several times
Vowels mutation — vowels are omitted or capitalized
Strip mutation — one or several characters are removed
Swap mutation — some characters are swapped and change places
Duplicate mutation — some characters are duplicated
Delimiter mutation — delimiters are added between characters

Depending of your distribution, the John configuration may be located at /etc/john/john.conf and/or /usr/share/john/john.conf. To locate the JtR install directory run locate john.conf, then create john-local.conf in the same directory (in my case/usr/share/john/john-local.conf) and create our rules in here.

Let’s use the top 10 000 most used password list from SecLists (/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt) and generate a simple border mutation by appending all 2 digits combinations at the end of each password.
Let's edit /usr/share/john/john-local.conf and add a new rule:,

Now let’s crack the SHA1 hash 2d5c517a4f7a14dcb38329d228a7d18a3b78ce83, we just have to write the hash in a text file and to specify the hash type, the wordlist and our rule name. john hash.txt --format=raw-sha1 --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt --rules=THM01

What was the password?

Answer: moonligh56

Task 5: Custom wordlist generation

As I said in the previous task mangling rules avoid to waste storage space and time but there are some cases where generating a custom wordlist could be a better idea:

You will often re-use the wordlist, generating one will save computation power rather than using a mangling rule
You want to use the wordlist with several tools
You want to use a tool that support wordlists but not mangling rules
You find the custom rule syntax of John too complex

Question 1. Crack the following md5 hash with the wordlist generated in the previous steps.

Answer: mOlo$$u$

Now let’s use CeWL to generate a wordlist from a website. It could be useful to retrieve a lot of words related to the password’s topic.

For example to download all words from example.org with a depth of 2, run:
cewl -d 2 -w $(pwd)/example.txt https://example.org
The depth is the number of link level the spider will follow.

What is the last word of the list?

Answer: information

With TTPassGen we can craft wordlists from scratch. Create a first wordlist containing all 4 digits PIN code value.

ttpassgen --rule '[?d]{4:4:*}' pin.txt

pip install ttpassgen

Generate a list of all lowercase chars combinations of length 1 to 3.

ttpassgen --rule '[?l]{1:3:*}' abc.txt

Then we can create a new wordlist that is a combination of several wordlists. Eg. combine the PIN wordlist and the letter wordlist separated by a dash.

ttpassgen --dictlist 'pin.txt,abc.txt' --rule '$0[-]{1}$1' combination.txt

Be warned combining wordlists quickly generated huge files, here combination.txt is 1.64 GB.

$ wc pin.txt 
10000 10000 50000 pin.txt$ wc abc.txt 
18278 18278 72384 abc.txt$ wc combination.txt 
 182780000  182780000 1637740000 combination.txt

Crack this md5 hash with combination.txt.

e5b47b7e8df2597077e703c76ee86aee

Answer: 1551-li

Task 6: It’s time to crack hashes

You will have to crack several hashes. For each hash you will be given a short scenario that will help you to create a mangling rules, build a wordlist or finding some specialized data you’ll need to crack the hash.

The scenarios are located on the website: Password advisor (http://10.10.92.247), each piece of advice matches one of the following hashes (in the same order).

Question 1. Advice n°1 b16f211a8ad7f97778e5006c7cecdf31

Hint: English male name, MD5, Border mutation, custom rule

The question mentions it uses border mutation where we add combination of digits and/or special characters to both or one of the ends of the word. If we do it by creating wordlists, it will take too much time and storage. To go around this, we can use mangling rules as the room teaches in one of the previous tasks. For this task we only need the 5 Digits+Special Character Combination eg: xxxxxname, xxxxnamex, xxxnamexx, xxnamexxx, xnamexxxx, namexxxxx where x is either a special character or digit.

Adding rule in john.conf
locate john.conf
leafpad /etc/john/john.conf

Download Rules from the link

http://s000.tinyupload.com/index.php?file_id=07601583944998921775

The SAM01 is the name of the rule you will call it with

Question 2. Advice n°2 7463fcb720de92803d179e7f83070f97
Hint: English female name, MD5, Border mutation, custom rule

# Following from the previous question, open the john.conf file and replace the line starting with cAz… with the following:

TinyUpload.com — best file hosting solution, with no limits, totaly free

Four simple TinyUpload.com’s rules: no download, upload limits 50 MB per file downloaded files hosted for ever 100%…

s000.tinyupload.com

(Don’t replace [List.Rules:SAM01], replace the rule below it)

So now its done

This time I sorted the names from longest to shortest so I can avoid the really short length names as I didn’t think they would be used here so I could save some time

cat femalenames-usa-top1000.txt| awk '{ print length($0) " " $0; }' $file | sort -r -n | cut -d ' ' -f 2- > sorted_female.txt

Question 3. Advice n°3 f4476669333651be5b37ec6d81ef526f

Hint: Town name of Mexico, MD5, Freak mutation, mentalist tool

Remove spaces from file

cat cities.txt | tr -d "[:blank:]"

Change Uppercase to Lowercase

cat cities.txt | tr [:upper:] [:lower:]

We will use the default l33t rule which will try different combination of letter replacements eg: Mexico -> M3x1c0 or M3x1co and so on.

Question 4.Advice n°4 a3a321e1c246c773177363200a6c0466a5030afc

Hint: User’s own name, SHA1, case mutation with existing rule

The password is Case mutated where we toggle the lowercase and uppercase for different chars and we can use a default rule for this. The default rule to use here is NT (Credit).

Question 5. Advice n°5 d5e085772469d544a447bc8250890949
Hint: Lyrics, MD5, Order mutation, lyricpass

echo ‘d5e085772469d544a447bc8250890949’ > hash.txt
git clone https://github.com/initstring/lyricpass.git

I changed file names using mv
mv wordlist-2021-02-15-17.52.57 wordlist
mv raw-lyrics-2021-02-15-17.52.57 raw-lyrics

As listed here, we can make use of the hashcat rule for reversing characters ‘r’.

# Create a rule using mask processor which is usually bundled with hashcat:
mp64 -o reverse.rule ‘r’If you don't have mp64 (mask processor), you can make the rule without it:
echo ‘r’ > reverse.rulehashcat -m 0 hash.txt raw-lyrics -r reverse.rule

Question 6. Advice n°6 377081d69d23759c5946a95d1b757adc

Hint: Phone number, MD5, No mutation, pnwgen

echo 377081d69d23759c5946a95d1b757adc > hash.txt

Searching for Sint Maarten phone number online reveals +1 721 and counting the asterisks in TryHackMe answer box gives us 12 characters.

1 721–555–1212 -> +17215551212 (12 chars)
We know that it will always start with +1721 (first 5 chars) so we only need to brute-force the last 7 chars.
Eg: +1721xxxxxxx

I know that the question hints towards using pnwgen, but I felt comfortable using ttpassgen even though I got it wrong a few times in the start.

Crack the hash

Question 7. Advice n°7 ba6e8f9cd4140ac8b8d2bf96c9acd2fb58c0827d556b78e331d1113fcbfe425ca9299fe917f6015978f7e1644382d1ea45fd581aed6298acde2fa01e7d83cdbd

Hint: Rockyou, SHA3–512, No mutation

Question 8. Advice n°8 9f7376709d3fe09b389a27876834a13c6f275ed9a806d4c8df78f0ce1aad8fb343316133e810096e0999eaf1d2bca37c336e1b7726b213e001333d636e896617

Hint: Web scrapping, blake2, Repetition, CeWL

I was getting an error when I tried cracking the hashing but it turns out I wrote it in the wrong format. Following on from previous link, we find that the correct format for the BLAKE2 hash is to add $BLAKE2$ at the start of the hash.

Add rules in john.conf

Question 9. Advice n°9 $6$kI6VJ0a31.SNRsLR$Wk30X8w8iEC2FpasTo0Z5U7wke0TpfbDtSwayrNebqKjYWC4gjKoNEJxO/DkP.YFTLVFirQ5PEh4glQIHuKfA/

Hint: Rockyou, SHA512-crypt, No mutation

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!