Merry Christmas 2024 - hashpwn Wordlist Challenge

cyclone

@oe3p32wedw Looks like you're doing great! Let's keep the hints you found a secret so we don't spoil it for anyone else playing along!

If anyone would like to post their progress, feel free to post a link on https://paste.hashpwn.net

v1cvap0r

One left for me [removed expired url]

oe3p32wedw

I've found interesting link But Idk what the password is... Am I on the right way? @cyclone

cyclone

@oe3p32wedw
DM sent.

cyclone

A new hint (#1) and a few notations were made to the OP.

oe3p32wedw

It was fun! Thanks for your hard work, @cyclone
May the coming year bring you all success and happiness!

cyclone

@oe3p32wedw Great job! Thanks, you as well.

cyclone

Congrats to those who have completed the challenge so far!

New hint (#2) dropped for those still working on the challenge.

cyclone

New hint (#3) dropped for download_link.zip.

alivala

It was a fun challenge, thank you very much for it!

cyclone

@alivala Thanks for the feedback; glad you enjoyed the challenge!

cyclone

We're up to 9 users who have completed the challenge. Who will be next?

New hint (#4) dropped.

ivan

@cyclone Thank you so much for the interesting quest, the main problem is poor English language skills.

cyclone

@ivan Great job completing the challenge! Enjoy the hashpwn wordlist.

cyclone

New hint (#5) dropped.

cyclone

Congrats to the 11 users who have completed the challenge so far!

The final clue was posted (#6).

cyclone

Merry Christmas to all those who played along, and congrats to the 14 users who successfully completed the challenge and downloaded the hashpwn wordlist.

hashpwn wordlist download link:
https://forum.hashpwn.net/post/237

casper_

I was stuck here and couldn't get any further. Thanks for the the challenge

"This looks like XOR to me...
iuuqr;..fnghmd/hn.e.343c`5de,4d4`,5903,`176,d89`17g8c53d"

cyclone

@casper_ You made it to the last step! That string is the download URL which has been XOR'd using a key. Spoiler details below:

Spoiler

To XOR the string, you need to find the XOR key.

For simplicity, the challenge used HEX 0x01 which could be guessed very easily, especially when brute forcing the key.

Below are several examples of XORing the string back to plaintext. CyberChef runs in browser, and the Python3, Go and C code can either be run from your local PC or on an online compiler.

CyberChef:
https://gchq.github.io/CyberChef/#recipe=XOR({'option':'Hex','string':'1'},'Standard',false)&input=aXV1cXI7Li5mbmdobWQvaG4uZS4zNDNjYDVkZSw0ZDRgLDU5MDMsYDE3NixkODlgMTdnOGM1M2Q

Python3
input_str = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"

hex_key = 0x01

output = ''.join(chr(ord(c) ^ hex_key) for c in input_str)

print(f"String:\t{input_str}")
print(f"Key:\t{hex(hex_key)}")
print(f"Output:\t{output}")

Go
package main

import (
"fmt"
)

func xorString(input string, key byte) string {
output := make([]byte, len(input))
for i := 0; i < len(input); i++ {
output[i] = input[i] ^ key
}
return string(output)
}

func main() {
inputStr := "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"
hexKey := byte(0x01)

    output := xorString(inputStr, hexKey)

    fmt.Printf("String:\t%s\n", inputStr)
    fmt.Printf("Key:\t0x%X\n", hexKey)
    fmt.Printf("Output:\t%s\n", output)

}

C

#include <stdio.h>
#include <string.h>

void xorString(const char *input, char *output, unsigned char key) {
size_t len = strlen(input);
for (size_t i = 0; i < len; i++) {
output[i] = input[i] ^ key;
}
output[len] = '\0';
}

int main() {
const char *inputStr = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d";
unsigned char hexKey = 0x01;
char output[256];

xorString(inputStr, output, hexKey);

printf("String:\t%s\n", inputStr);
printf("Key:\t0x%X\n", hexKey);
printf("Output:\t%s\n", output);

return 0;

}

v1cvap0r

@casper_ said in Merry Christmas 2024 - hashpwn Wordlist Challenge:

I was stuck here and couldn't get any further. Thanks for the the challenge

"This looks like XOR to me...
iuuqr;..fnghmd/hn.e.343c`5de,4d4`,5903,`176,d89`17g8c53d"

Same here. Completely out of my "confort zone".
Kudos to @cyclone for his initiative and willingness to help.