You had time to investigate that internal box, and found a file called "password" containing the following string: VOhRrmhZvX7lEG9KvuF/6FVA Questions: 1. What is the system or application that use this kind of password string and for what purpose? At first sight it seems to be clearly a 24 byte long hashed password for user authentication into the attacked system or application running in the attacked system. The intruder managed to obtain that hashed password string from the attacked system (password file) or could be stolen from a third system when the password could be stored (as a database or an LDAP directory) or caught by other ways as sniffing network traffic. It is difficult to say the concrete application that uses the hashed password. That can be the hashed password for a user login authentication into a system or the password for athenticating the user inside an application (web application, DB application...etc) running in the system. Of course the string could also be a very well constructed password in simple clear text; but in that case there would not be a challenge :) 2. What is the format and crypto algorithm(s) used on this password string? According to the lenght of the hashed password, 192 bits, the first crypto algorithm I though was Tiger. I also checked that HAVAL can produce hashes in lengths of 128 bits, 160 bits, 192 bits, 224 bits, and 256 bits. Without having this question answered at all, I began with the third one. As the hashed password is only one-way obtained the only way we have to obtain the clear-text password is by guessing. note: In the answer to my third question John the Ripper guessed two different Traditional DES hashes: Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) 3. What is the clear-text password of your critical system? Please, detail the process you followed and the tools you used to obtain the password. After searching a bit in the net I realized that the most used password cracker is John The Ripper. I downloaded the most recent version 1.7.0.2 and began testing with it. I created a password file with this content: owner:VOhRrmhZvX7lEG9KvuF/6FVA:a:a:a:a:a To my surprise John found that the hashed password is really two different hashes obtained with 2 different salts. (question to the challenger: how could we know that in question 2 by just looking at the 24 raw bytes? :) ) >john-386 password Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) winnieth (:1) and not only that ! "He" guessed the first one almost instantly ---> the first eight characters of the passwd. Well, at this point I let John burning my CPU while I grabbed one of my PEZ friends to ask him a couple of questions. See attached image. He did not told me anything at all although I tried almost everything. I even ate all of its candies. Next morning, after 10 hours, John had guessed by brute force attack the second part: epooh9 (owner:2) >john-386 -show password owner:winniethepooh9 2 password hashes cracked, 0 left john.pot: VOhRrmhZvX7lE:winnieth hRG9KvuF/6FVA:epooh9 If I would'n been so busy with the PEZ toy I would had discovered in a minute the second part of the password in a smarter way: By creating a dictionary file with the word 'epooh' and addind the "-rules" option to john: john-386 -w=guess password Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) guesses: 0 time: 0:00:00:00 100% c/s: 133 trying: epooh >john-386 -w=guess -rules password Loaded 2 password hashes with 2 different salts (Traditional DES [24/32 4K]) epooh9 (:2) guesses: 1 time: 0:00:00:00 100% c/s: 102000 trying: epooh - Epoohing After seeing that the password is 14 characters long and that the 8 first ones were hashed separately with a salt value and the rest 6 with other it seems that perhaps is a UNIX box with an enhanced 8 password limit mechanism in order to used bigger passwords. And that's all ! Thank you very much for writing such interesting articles in the blog and giving me the oportunity to learn about password cracking with this challenge. un abrazo !!! Rafa Serrada