Password Cracking Competition

Brought to you by BashNinja @_bashNinja

COMPETITION DETAILS

SAINTCON's third annual Password Cracking Competition!

The first year we had Josh Dustin provide a list of themed pancake passwords, last year we had 60 Million passwords tweaked and sourced from Hashes.org, this year we're going to switch it up again!

Instead of having a large amount of passwords to crack, you're going to go through a series of challenges where your password cracking skills will be invaluable. What does that mean? It means you should brush up on cracking all forms of passwords. Do you know how to crack a Windows LM or NTLM Hash? What about HTTP Basic Auth or .htpasswd files? Maybe we can put in a little bit of /etc/passwd? Or even a WPA2 Handshake? The sky is the limit here. Let's hope you're up to the challenge.

Don't have a beefy password cracking rig? Look into joining a friend who has one or even building your own in the cloud for a few bucks an hour! This competition will be all about how knowlegable your are in password formats and how good you are at cracking password hashes. Are you crafty at making good word lists? Perhaps you can beat all the big systems by a more methodical approach and locking in your mangle and dictionary skills! Have you played with every hash format under the sun? Maybe you have your cracking environment setup even before the CTF begins. We'd love to have as many are willing to play join us!

Why

This year, the password cracking competition is all about your knowledge of cracking various password formats. Our goal here is to expose everyone to as many different formats as possible. This year it's not about loading all the passwords, clicking go, and then coming back 3 days later and submitting everything you've solved. You'll be bouncing between formats every 5 passwords. We hope to challenge our players, and teach them to be versitale in all the password formats they may come across.

Participation

All SAINTCON participants are encouraged and invited to play. The competition times are below.

Password Cracking Event Starts - Tuesday Sep 25th === 10:00am

Password Cracking Event Ends - Thursday Sep 27th === 10:00pm

How to Play

• Register your team at https://www.crackthe.pw after the competition has started.
• Password Hashes will be posted on that website on Tuesday, September 25th morning around 10:00am.
• We're doing a theme this year, so pay attention to the types of passwords you crack
• We will provide an API so you can submit your cracked passwords. Details will be posted when the competition starts.
• All updates will be posted on that site and on @SAINTCONPcrack.
• Submit solved challenges on-site or via the API.

Submit the cracked hashes to the Competition Portal API

{
    "Team": "bashNinja",
    "Password": "saintcon",
    "Hash":"ab39aa1fa61d154a2c46742179879c87408035d2"
}

Note: Abusing this API is a waste of time, so don't bother.

TL;DR:

Register https://www.crackthe.pw

Crack the HASHES that are posted.

Submit the cracked hashes to the Competition Portal API

Scoring

Each hash will be valued according to difficulty. The values range between 1 and 10.

Support

If you need help submitting a password, you can tweet @SAINTCONPcrack or ask for assistance on the #password_cracking channel in Slack. Slack is also a great place to work collaboratively on the passwords.

Hints may be given for some passwords during the course of the game. Hints will be announced via the Twitter Feed.