Merry Christmas 2024 - hashpwn Wordlist Challenge

oe3p32wedw

Looks like Cyclone Claus has decided to make Christmas even more interesting! I'll start:

[secret hints redacted]

Spoiler

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855:
a3b142af6e97cfc3bb23e409ab83467af7d16ded7dc0632be6a6a9023e49ce8b:use
c0a76c5ca97bce57d556a29475277e034cff23af95147427d963262dda0ed800:cyclone's
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8:password
663ea1bfffe5038f3f0cf667f14c4257eff52d77ce7f2a218f72e9286616ea39:to
e6640de835ad09fb0a7367ee2e0ba99d0142c139db0272146e35538bd07479fc:find
b9776d7ddf459c9ad5b0e1d6ac61e27befb5e99fd62446677600d7cacef544d0:the
e8cbf88eeadc69f74c63bb3f0d5854c27edef862bf2aea5d3882dd8d14c4a1f2:hashpwn
3d1a82560169c2bbcd369a8c3c8a9207d59c7a8c3b7670a78dceb3d678380d15:wordlist
8fd3789a35780884e67ad076288b0d1758dcbd361733ff9d934f9fc029e4d3f7:$HEX[68696e74733a] (hints:)
3aeb002460381c6f258e8395d3026f571f0d9a76488dcd837639b13aed316560:github.com
8a5edab282632443219e051e4ade2d1d5bbc671c781051bf1437897cbdfea0f1:/
9bfa0b50a90e669907e78780bcc1e5e972742e0d124b30a67fbeb6371c604891:spider

I'll start adding more tips now

cyclone

@oe3p32wedw Looks like you're doing great! Let's keep the hints you found a secret so we don't spoil it for anyone else playing along!

If anyone would like to post their progress, feel free to post a link on https://paste.hashpwn.net

v1cvap0r

One left for me [removed expired url]

oe3p32wedw

I've found interesting link But Idk what the password is... Am I on the right way? @cyclone

cyclone

@oe3p32wedw
DM sent.

cyclone

A new hint (#1) and a few notations were made to the OP.

oe3p32wedw

It was fun! Thanks for your hard work, @cyclone
May the coming year bring you all success and happiness!

cyclone

@oe3p32wedw Great job! Thanks, you as well.

cyclone

Congrats to those who have completed the challenge so far!

New hint (#2) dropped for those still working on the challenge.

cyclone

New hint (#3) dropped for download_link.zip.

alivala

It was a fun challenge, thank you very much for it!

cyclone

@alivala Thanks for the feedback; glad you enjoyed the challenge!

cyclone

We're up to 9 users who have completed the challenge. Who will be next?

New hint (#4) dropped.

ivan

@cyclone Thank you so much for the interesting quest, the main problem is poor English language skills.

cyclone

@ivan Great job completing the challenge! Enjoy the hashpwn wordlist.

cyclone

New hint (#5) dropped.

cyclone

Congrats to the 11 users who have completed the challenge so far!

The final clue was posted (#6).

cyclone

Merry Christmas to all those who played along, and congrats to the 14 users who successfully completed the challenge and downloaded the hashpwn wordlist.

hashpwn wordlist download link:
https://forum.hashpwn.net/post/237

casper_

I was stuck here and couldn't get any further. Thanks for the the challenge

"This looks like XOR to me...
iuuqr;..fnghmd/hn.e.343c`5de,4d4`,5903,`176,d89`17g8c53d"

cyclone

@casper_ You made it to the last step! That string is the download URL which has been XOR'd using a key. Spoiler details below:

Spoiler

To XOR the string, you need to find the XOR key.

For simplicity, the challenge used HEX 0x01 which could be guessed very easily, especially when brute forcing the key.

Below are several examples of XORing the string back to plaintext. CyberChef runs in browser, and the Python3, Go and C code can either be run from your local PC or on an online compiler.

CyberChef:
https://gchq.github.io/CyberChef/#recipe=XOR({'option':'Hex','string':'1'},'Standard',false)&input=aXV1cXI7Li5mbmdobWQvaG4uZS4zNDNjYDVkZSw0ZDRgLDU5MDMsYDE3NixkODlgMTdnOGM1M2Q

Python3
input_str = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"

hex_key = 0x01

output = ''.join(chr(ord(c) ^ hex_key) for c in input_str)

print(f"String:\t{input_str}")
print(f"Key:\t{hex(hex_key)}")
print(f"Output:\t{output}")

Go
package main

import (
"fmt"
)

func xorString(input string, key byte) string {
output := make([]byte, len(input))
for i := 0; i < len(input); i++ {
output[i] = input[i] ^ key
}
return string(output)
}

func main() {
inputStr := "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"
hexKey := byte(0x01)

    output := xorString(inputStr, hexKey)

    fmt.Printf("String:\t%s\n", inputStr)
    fmt.Printf("Key:\t0x%X\n", hexKey)
    fmt.Printf("Output:\t%s\n", output)

}

C

#include <stdio.h>
#include <string.h>

void xorString(const char *input, char *output, unsigned char key) {
size_t len = strlen(input);
for (size_t i = 0; i < len; i++) {
output[i] = input[i] ^ key;
}
output[len] = '\0';
}

int main() {
const char *inputStr = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d";
unsigned char hexKey = 0x01;
char output[256];

xorString(inputStr, output, hexKey);

printf("String:\t%s\n", inputStr);
printf("Key:\t0x%X\n", hexKey);
printf("Output:\t%s\n", output);

return 0;

}