Merry Christmas 2024 - hashpwn Wordlist Challenge

cyclone

@oe3p32wedw Great job! Thanks, you as well.

cyclone

Congrats to those who have completed the challenge so far!

New hint (#2) dropped for those still working on the challenge.

cyclone

New hint (#3) dropped for download_link.zip.

alivala

It was a fun challenge, thank you very much for it!

cyclone

@alivala Thanks for the feedback; glad you enjoyed the challenge!

cyclone

We're up to 9 users who have completed the challenge. Who will be next?

New hint (#4) dropped.

ivan

@cyclone Thank you so much for the interesting quest, the main problem is poor English language skills.

cyclone

@ivan Great job completing the challenge! Enjoy the hashpwn wordlist.

cyclone

New hint (#5) dropped.

cyclone

Congrats to the 11 users who have completed the challenge so far!

The final clue was posted (#6).

cyclone

Merry Christmas to all those who played along, and congrats to the 14 users who successfully completed the challenge and downloaded the hashpwn wordlist.

hashpwn wordlist download link:
https://forum.hashpwn.net/post/237

casper_

I was stuck here and couldn't get any further. Thanks for the the challenge

"This looks like XOR to me...
iuuqr;..fnghmd/hn.e.343c`5de,4d4`,5903,`176,d89`17g8c53d"

cyclone

@casper_ You made it to the last step! That string is the download URL which has been XOR'd using a key. Spoiler details below:

Spoiler

To XOR the string, you need to find the XOR key.

For simplicity, the challenge used HEX 0x01 which could be guessed very easily, especially when brute forcing the key.

Below are several examples of XORing the string back to plaintext. CyberChef runs in browser, and the Python3, Go and C code can either be run from your local PC or on an online compiler.

CyberChef:
https://gchq.github.io/CyberChef/#recipe=XOR({'option':'Hex','string':'1'},'Standard',false)&input=aXV1cXI7Li5mbmdobWQvaG4uZS4zNDNjYDVkZSw0ZDRgLDU5MDMsYDE3NixkODlgMTdnOGM1M2Q

Python3
input_str = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"

hex_key = 0x01

output = ''.join(chr(ord(c) ^ hex_key) for c in input_str)

print(f"String:\t{input_str}")
print(f"Key:\t{hex(hex_key)}")
print(f"Output:\t{output}")

Go
package main

import (
"fmt"
)

func xorString(input string, key byte) string {
output := make([]byte, len(input))
for i := 0; i < len(input); i++ {
output[i] = input[i] ^ key
}
return string(output)
}

func main() {
inputStr := "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d"
hexKey := byte(0x01)

    output := xorString(inputStr, hexKey)

    fmt.Printf("String:\t%s\n", inputStr)
    fmt.Printf("Key:\t0x%X\n", hexKey)
    fmt.Printf("Output:\t%s\n", output)

}

C

#include <stdio.h>
#include <string.h>

void xorString(const char *input, char *output, unsigned char key) {
size_t len = strlen(input);
for (size_t i = 0; i < len; i++) {
output[i] = input[i] ^ key;
}
output[len] = '\0';
}

int main() {
const char *inputStr = "iuuqr;..fnghmd/hn.e.343c5de,4d4,5903,176,d8917g8c53d";
unsigned char hexKey = 0x01;
char output[256];

xorString(inputStr, output, hexKey);

printf("String:\t%s\n", inputStr);
printf("Key:\t0x%X\n", hexKey);
printf("Output:\t%s\n", output);

return 0;

}

v1cvap0r

@casper_ said in Merry Christmas 2024 - hashpwn Wordlist Challenge:

I was stuck here and couldn't get any further. Thanks for the the challenge

"This looks like XOR to me...
iuuqr;..fnghmd/hn.e.343c`5de,4d4`,5903,`176,d89`17g8c53d"

Same here. Completely out of my "confort zone".
Kudos to @cyclone for his initiative and willingness to help.

cyclone

@v1cvap0r @casper_ The XOR string was meant to throw a small curve ball at the end of the challenge. Those familiar with programming and/or cryptography would be familiar with such bitwise ops, but it would likely be something new to other users.

karkajoi

@cyclone Thank you to the author for such an interesting puzzle!