Edit: Well done to @hops_ch for being the first to complete and win the prize!
The reason we offer a Password Audit service is because we’re passionate about ensuring our clients are adequately protecting their accounts from compromise. The varied methods that can be used to attack passwords inspired us to create a challenge, comprising multiple levels of differing complexity, with some loot for the first to complete them all! Whilst we hope you enjoy attempting (and hopefully completing) it, the passwords you crack will also serve as a reminder that many of us don’t realise how vulnerable our passwords really are.
We’ll let you know how to solve all the levels in a later post.
12 levels. Only two wordlists required: rockyou.txt (comes with Kali by default) and the Google Top 10000 words.
The first to complete all of them will be able to unlock…
An Ethereum wallet containing 0.225 ETH (circa $100 at the time of writing). You will require an existing Ethereum address of your own ready so that you can quickly send yourself the prize before someone else beats you to it!
The final password to access the Ethereum wallet will be the passwords/flags of all 12 levels, concatenated together in numerical order. For example, if the passwords/flags for the levels were:
- secret pass 123
- St3alth Spl0it
- incorrect password
- C0nfidentiaL Inf0rmation
- plane house
- r3b00t Us3r!
The password to access the wallet would be:
passw0rd!l3tme1n@@cr4ckmeifYouCansecret pass 123monkey12345St3alth Spl0itadmin123?incorrect passwordC0nfidentiaL Inf0rmationMrR0b0T!plane houser3b00t Us3r!
Once you have the final password, head over to https://www.myetherwallet.com/#send-transaction quickly to claim your prize!
All you’ll need to do is upload the wallet keystore file (a JSON file provided with the CTF) and enter the final password. After doing that you’ll see the screen below where you can send your loot to your own Ethereum wallet.
A sneak peek of the winner’s new fortune can be seen and tracked below! (don’t spend it all at once ???? )
Decipher the below string to download the zip file. The password to the zip is the square root of the last 4 digits of our phone number (to 5 decimal places). Please ensure you’ve read the info & advice below before starting.Enjoy!
Information & Advice
- We will periodically release hints on Twitter.
- The levels can be completed in any order. If you’re stuck on one, move on and come back to it later.
- The levels differ in approach and complexity but generally they get tricker (or require more thinking/work) the higher you go. Think outside of the box, not everything is a straight dictionary attack.
- The levels were created and tested using Hashcat v4.1.0.
- If you’re stuck, Google is your best friend. Explore and research different ways to attack.
- Not every level requires cracking a hash – this will be noted in the level where applicable. Read carefully.
- The passwords and their variations have been selected from a couple of common, well known wordlists (you won’t need to download any crazy multi-gigabyte dictionary file).
- We acknowledge individuals with modern hardware will have an advantage in cracking speeds. This is an accepted caveat and is unavoidable in a challenge like this!
In.security was formed by Will and Owen, two cyber security specialists driven to help other organisations stay safe and secure against cyber threats and attacks. After having worked together since 2011 in several former companies, they each gained considerable experience in system/network administration, digital forensics, penetration testing plus training. Based in Cambridgeshire, but operating nationally, we can provide a range of services and training for businesses and individuals alike. Read more about our services below:
- Penetration testing
- Vulnerability assessments
- Build reviews
- Red team testing
- Phishing assessments
- Password auditing
- Cloud security auditing