Part 1: Password

This first stage of the challenge provides us with hash.txt which contains the following hash:

$ cat hash.txt
aad3b435b51404eeaad3b435b51404ee:b269f3bb4933d8aa6597cfd2de75397e

Looking at this hash the 1st part is a LM hash and the 2nd part is the NTLM hash that we need to crack. Save the NTLM hash to ntlm.txt.

The description for this stage leads me to believe that the hash can be cracked with a Mask attack using hashcat.

$ hashcat -a 3 -m 1000 ntlm.txt -1 ?u?l?d -i --increment-min=5 ?1?1?1?1?1?1?1

The above command has several parameters;

• -a 3 specifies attack mode 3 (Brute-force)
• -m 1000 specifies we are trying to crack a NTLM hash
• -1 specifies we want to use a custom charset
• ?u?l?d specifies that we want our custom charset to include both uppercase and lowercase letters and digits
• -i —increment-min=5 specifies that we want the minimum password length to be 5 (this is a guess on my part that it would not be lower than this)
• ?1?1?1?1?1?1?1 is the mask and it is 7 characters long since the challenge description told us the password is less than 8 characters in length

$ hashcat --show ntlm.txt
b269f3bb4933d8aa6597cfd2de75397e:H4cky21

Fantastic we have the flag for part 1: H4cky21

Part 2: Scorching