Thursday, August 12, 2021

Korelogic's CMIYC 2021 @ DEF CON 29 Write-up

Crack me if you can write-up 2021


We once again assembled the team to take on KoreLogic’s annual Crack me if you can contest for Def Con 29. This year we had 12 members participating they were s3in!c, blazer, golem445, user, pdo, winxp5421, Waffle, gearjunkie, hops, cvsi, 0xln & usasoft. Since we were from all over the world, we were able to continuously submit cracks throughout the 48-hour duration of the contest.

In preparation for the contest, we re-developed the back end of our hash management platform “TeamLogic” and therefore expected that things may not be as smooth. We expected to see exotic hashes or perhaps some use of Hashcat’s new association mode. However, when we first saw the big 6GB download we thought it would be interesting as we wondered how the hashes would be shared with us. Would they be in a text file on the desktop? What operating system would it be running? Do we have to extract the hashes? Nevertheless, some of us setup VirtualBox in preparation.  Upon receiving the decryption key, this was some of the chatter that occurred.

“Sorry guys, it’s a Windows… good luck have fun”

“How come this VM is not working?”

“This VM keeps restarting”

“This VM does not work in VMware”

“Nothing is working properly with this VM”

“There are a crap ton of objects in this AD”

As a team of hobbyist password crackers, who don’t generally dump hashes of domain controllers daily, it took us some time to navigate the forensic side of things. We were able to use various methods to access the VM including:

·         Cracking the admin AD hash and logging in normally

·         Extracting the ntds file directly off the image file

·         Dumping the ntds file off the running VM

·         Live booting over the VM 

The sheer volume of objects in the AD made things extremely sluggish, mimikatz was run on the Vm and impacket was also used to dump the ntlm hashes off the ntds file.

Protip: Use pypy instead of normal python for a nice speedup when using impacket’s

We suspected that other teams were in a similar situation to us, as we did not see the scoreboard being populated. We made a start with a partial dump and believe we were the first to register scores across all the various hash histories

Once the hashes were upload to our hash management platform, we all went of to work our magic on the hashes. Some notable patterns which we noticed where the lyrics/quotes, ferengi, bible phrases along with the occasional bonjovi, minga and korelogic plaintexts scattered.


Having retrieved a sufficient number of plaintexts, the hashes were grouped by users to create a visual aid in assisting us to discover patterns.

When we initially saw that these hashes were NTLM only we thought that it would be a game of who has the highest hashrate wins contest. However, we were quite wrong, because a bruteforce approach would not have been effective at all.  Korelogic had put some thought in designing the passwords in such a way that other exhaustive approaches had to be taken such as switching to pure kernels to attack very long plaintexts.

Despite having to apply various hotfixes to our hash management platform and running into minor hiccups, we cracked most of the passwords very early on, as shown in our internal submission graph. Towards the last 12 hours of the contest, we developed a workflow which consisted of converting as many history6 hashes as we could to history5 and so on until history2. From here, we would try to isolate a pattern and crack as many history1 and ultimately history0 hashes as we could.

 This following workflow worked very well for us and we were able to use a series of custom scripts to achieve


We found that using the following rule "sv^sa@se3so0sh5@j” which is a variation of the 1337.rule we were able to convert most of the history1 to history0 plaintexts. Towards the end, we made a huge push and spent lots of resources trying to find more patterns, but we were unable to get a breakthrough.

While we took the lead for a short period of time, we quickly fell back to second place. Ultimately, we were able to secure a very comfortable second spot in the contest and kept close to team hashcat’s tail throughout the contest. Congratulations to the other returning team’s john-users and trontastic and the newcomers hashmob and 1IHsxRAM7GzoM for demonstrating their ability to participate in the pro division.

Thank you Korelogic for putting together a very fun challenge this year, despite only using NTLMs, you still managed to keep us entertained for a good 48 hours. We are eager to see what future challenges brings.

We have attached the list of both the hashes and plains which we cracked for this contest here. While we understand the plaintexts have been released by KoreLogic, we have decided to leave readers a little challenge to decode our cracked plaintexts. 

Hint: Being Identical is the key

Join_US | Contact_US @CynoPrime