hashpwn

Crack the Con 2026 is offically over, and great job to everyone who participated! 1st place - HashMob Lite 2nd place - PizzaPlannet (hashcat, is that you?) 3rd place - hash_meltdown Final scoreboad: [image: 1775182625518-f6431215-1098-43e3-98a1-71e57433388e-image.jpeg] [image: 1775182656561-3b555f9e-1c87-46c1-87f9-7dbb2e5e806e-image.jpeg] [image: 1775182667583-73af4e73-bc7f-4600-afc0-4b9beec5fde3-image.jpeg]

@Silver0666 I've run into this before as well. You can either modify the hashcat kernel to allow longer tokens, or use hashcat's metamask2hashcat.py to generate a "short" -m 26610 hash. https://github.com/hashcat/hashcat/blob/master/tools/metamask2hashcat.py

The built-in seeds in rulest are now five categories of numeric rule chains (prepend/append, mixed, transform+digit, date patterns) automatically generated and tested against the bloom filter in Phase S. These seeds help extract common numeric transformations (e.g., adding years, digits) without requiring manual input. The --no-builtin-seeds parametr disables Phase S entirely. Use it when: Your target wordlist contains few or no numeric patterns. You want to reduce GPU runtime by skipping thousands of numeric seeds. You rely solely on atomic rules (Phase 1) and random chains (Phase 2) or your own --seed-rules file. Without this flag, Phase S always runs, testing chains up to depth 4 (e.g., ^1 ^2, $1 $9 $9 $0, u $1 and date patterns like $0 $1 $0 $1 $2 $0 $2 $4).

Full Hashcat operator coverage: Added missing operators (k, K, *, L, R, +, -, ., ,, y, Y, - E, e, 3, _) to the rule engine and validation. Reject rules now accepted (treated as pass-through in functional minimization). GPU validation extended to include all new operators. Expanded rule format now correctly tokenizes every operator. Improved stability with memory/reject operators gracefully handled in all modes.

v0.5.2; 2026-03-23 https://github.com/cyclone-github/pcfg-go/releases/tag/v0.5.2 Fixed Issue #5 -n {nth} not outputting

75266_found.txt 11206738_left

Forum Update: Small Bug Fixed Thanks to one of our members who noticed something odd while browsing the forum using the German language setting. After a little digging, I found a bug in the Stats plugin default DE language config that caused a static domain to appear in the member statistics text: .../languages/de/board-stats.json { ... "registered-members": ... Mitglieder sind bei <em>schoenen-dunk.de</em> registriert.", ... } The German language file for the Stats plugin had a hard-coded URL in the default board-stats.json configuration. Because the plugin is installed through the official NodeBB plugin manager, this quirk affects all forums running the same Stats plugin, so I suspect schoenen-dunk{.}de will be enjoying some unexpected extra traffic until this is fixed in the upstream GitHub repo. The issue has now been corrected on our end and a PR submitted to NodeBB-Community so it can be corrected upstream. DE Stats plugin showing static URL: [image: 1773526802677-6bf3c079-4cc4-4b0a-93e9-81da6b7e5f55-image.jpeg] Upstream GitHub file: https://github.com/NodeBB-Community/nodebb-widget-board-stats/blob/master/public/languages/de/board-stats.json PR submitted by cyclone: https://github.com/NodeBB-Community/nodebb-widget-board-stats/pull/5 Update: 2026/03/15 - GitHub PR#5 merged, upstream code fixed.

solflare_pwn v0.3.1 released includes xpass exploit, details here: https://forum.hashpwn.net/post/11116 https://github.com/cyclone-github/solflare_pwn/releases/tag/v0.3.1

Update: Details of the Solflare “xpass” Exploit March 13, 2026 [image: 1773412854934-c25dc614-d139-4de7-9c3b-da142cb773bb-image.png] In Feb 2025, I reported an exploit vulnerability in the Solflare Chrome wallet which allowed the wallet vault (solflaredata) to be decrypted without the user's password. Original post from Feb 2025: https://forum.hashpwn.net/post/416 Turns out, this was a backdoor, not a bug. Today, I am releasing the full details of the xpass exploit, aka the "backdoor master key". https://forum.hashpwn.net/post/11116

Update: Details of the Solflare “xpass” Exploit March 13, 2026 Over the past year I have received many requests asking when I would release the full details of the Solflare xpass exploit. Today, I am publishing those details. This post serves as an update to my original disclosure in Feb 2025 regarding a purposeful backdoor master key I discovered in the Solflare Chrome wallet extension that allows a wallet vault to be decrypted without requiring the user's wallet password. At the time of the original report I privately disclosed this to Solflare and delayed public publication to give Solflare time to address the exploit. The Core Issue Solflare stores two critical values inside the extension's LevelDB storage: solflaredata – encrypted wallet vault containing the seed phrase <-- this encrypted string contains the wallet seed phrase solflarexpass – a key used to decrypt the vault <-- the "backdoor master key" Because the decryption key is stored locally alongside the encrypted vault, the user's wallet password is not required to decrypt the vault and gain access to the wallet's seed phrase. All that is required to decrypt the wallet and gain access to the seed phrase is access to the Chrome extension storage and extraction of the solflarexpass key -- something very easy for a malicious actor or stealer malware to do. Once the vault is extracted with the key, the seed phrase can be recovered. No password cracking required. Example Storage Layout Inside the Chrome Solflare extension storage database the relevant entries appear similar to: solflaredata: { "data":{ "digest":"sha256", "encoding":"base64", "encrypted64":"..." } } solflarexpass: "<stored key>" Using the key stored in solflarexpass, the encrypted vault (solflaredata) can be decrypted. A screenshot of the original report is attached below. [image: 1773412854934-c25dc614-d139-4de7-9c3b-da142cb773bb-image.png]

@cyclone Trying to extract the vault gives me checksum mistakes with Chrome

Some of the above wordlists are now available via mirrors thanks to weakpass.com, so if you encounter download limits from Mega you can use these links instead Goodies_v1 Goodies_v2 Archive Archive.founds Triodante A1131 top_passwords

trustwallet_pwn toolkit has been released which supports extracting and decrypting Chrome based Trust Wallet browser extensions for password and seed phrase recovery. https://forum.hashpwn.net/post/10795

trustwallet_pwn toolkit has been released which supports extracting and decrypting Chrome based Trust Wallet browser extensions for password and seed phrase recovery. https://forum.hashpwn.net/post/10795

I confirm. None of the ready-made extractor or decryptor programs worked with the Zen browser. This person sorted out the situation for free, adapted the programs for my browser, and restored my SRP. For that, I'm incredibly grateful.