VishwaCTF-22 => John the rocker (Cryptography)

Challenge Info

Description: None

Files: https://github.com/shriyanss/VishwaCTF-22/blob/main/idrsa.id_rsa.docx

Vishwa CTF

Solution

This is an easy cryptography challenge. In this challenge, we’ve got a file, which is a SSH private key. So, the most probable things are:-

  • Get an SSH server
  • Crack the key

As the name suggests, we should use John the Ripper (it is a hash cracking tool) to crack this. After googling it, I got the following article: https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/. So following the steps as mentioned.

First of all, download the ssh2john python script from github:-

~$ wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py

Now, get the hash for it using ssh2john

~$ python3 ssh2john.py idrsa.id_rsa.docx > hash

Now, the hash is written to file name as “hash”. So the next step is to crack it.

A quick revision for what hash is: see wikipedia

So, as default, our wordlist is rockyou.txt. It is located at “/usr/share/wordlists/rockyou.txt.gz” by default (you have to extract it before using it) in Kali Linux and Parrot OS.

So cracking the hash:-

~$ john --wordlist=/usr/share/wordlists/rockyou.txt hash

So here, we’ve successfully cracked the hash. Since our flag format is “vishwaCTF{secret}”, so our flag would be “vishwaCTF{!!**john**!!}”

Takeaways

  • Try to crack SSH keys if you get it on web servers and you can report it.

Get more VishwaCTF-22 writeups here

--

--

--

<broken code>

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

OpenVAS Microsoft Access Database

Reveal hackers the secret! Scan code to transfer money to control your digital wallet

Mantis -HTB Walkthrough

Introducing: The Rita Score

Microsoft IIS — Configuring HTTPS Protocols and Ciphers

lock over world map

Lunaray blockchain security completed the security audit of the SOULMETA project

Introducing Biometric Authentication: Unifying identity verification and secure user logins

Pushing Left, Like a Boss, Part 5.13 — HTTPS only

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shriyans Sudhi

Shriyans Sudhi

<broken code>

More from Medium

picoCTF: Tab, Tab, Attack

Offsec proving grounds: Sumo

Hackthebox Horizontall machine writeup

Pwning binaries and defeating modern mitigations using rop and ret2libc (foobar 2022 pwn writeup)