Introduction
Welcome, fellow hackers and learners! In this post, I’ll walk you through my experience solving the "Crack the Hash" room on TryHackMe. This room is a great way to sharpen your skills in hash identification and cracking techniques using tools like Hash-Identifier, John the Ripper, and Hashcat.
Whether you're new to CTFs or brushing up on your skills, this guide will help you understand the logic behind cracking hashes and how to approach each challenge.
Each task in the room gives you a hash and asks you to identify and crack it. The hashes vary in type and complexity, from MD5 to SHA-512 to b-crypt and beyond.
Task 1: The Easy Hashes
Hash: 48bb6e862e54f2a795ffc4e541caed4d
Use Hash-Identifier or online tools like TunnelsUp Hash Analyzer.
→ Likely MD5 (since SHA uses CAPITAL LETTERS! while hashing)
I started the AttackBox previously, command terminal opened, let's do some HaShCaT
Since i didn't remember all the modules associated with all the hashing for hashcat, i used Microsoft Copilot to address this issue, you're welcome Satya Nadella ;)
Before input hashcat prompt i'll create now a file called hash.txt where we can write our task's hashes each time and crack it with the same command, we will only modify module numbers!
nano hash.txt
From now on, we will Copy&Paste each hash one-by-one, from Tryhackme into the clipboard of the AttackBox.
After saving the first hash in our temporary file, we will prompt the hashcat command by selecting module o for MD5, a temporary file to write the cracked result called cracked.txt and our beloved leaked wordlist rockyou.txt
hashcat -m 0 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
A couple of seconds later we have our hash cracked, let's grab the results by simply:
cat cracked.txt
Done! Very Simple and clean way i should say! Now we will repeat the process of Copy&Paste + the cat of the result.
Hash: CBFDAC6008F9CAB4083784CBD1874F76618D2A97
→ Likely SHA but what kind?
Well, here's the solution, a very nice scheme to classify quickly this and the next case:
I'm going SHA-1 following this image.
hashcat -m 100 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
And Grab the result here:
Hash: 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032
Reflecting the 64 char hash it's SHA-256, so we will craft:
hashcat -m 1400 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
And the result will be:
Hash: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom
Since there is a little bit of a known pattern $2*$, we will use Copilot to find evidence of that online and it will tell us that is a b-crypt hash
Hint and a maybe tip: Add at the end of our known prompt a
--forceto kindly speed up the process but be aware that this will take LONGER, and yes even an AMD EPYC processor (which is the one on the AttackBox that i'm using) takes forever to crack given this conditions. (26 days)
We need an easy way out, let's dig a little bit in Tryhackme, you'll see they want a 4-letter result under this hash. We need to shorten the wordlist rockyou to a new version with only 4-letters attempt. We will call it rockyou4l.txt
iconv -f latin1 -t utf-8 /usr/share/wordlists/rockyou.txt | grep -E '^[a-zA-Z]{4}$' > /usr/share/wordlists/rockyou4l.txt
Invoke hashcat command with the modified rockyou version and try to get the result:
hashcat -m 3200 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou4l.txt --force
Grab the result: bleh
Hash: 279412f945939ba78ce0758d3fd83daa
A different approach here to spot this Likely-MD5 hash. So first let's check what Hash Analyzer has to tell us.
Second step is to actually try the command that we've put in place for the first hash in MD5.
Spoiler: NO LUCK! - So it's MD4 then
We can use md4 modules in hashcat which is -m 900, but i tried a powerful web MD4 decryptor called dCode.fr
Eternity22 is our final answer, now we can move into something a little bit spicier.
Task 2: Level 2 Hashes
🔐 1. Hash:
F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85
Likely Algorithm: SHA-256
No need to further investigate, let's input -m 1400and fired up hashcat or we can use another powerful tool called CrackStation!
So paule, first answer.
🔐 2. Hash:
1DFECA0C002AE40B8619ECF94819CC1B
Likely Algorithm: MD4, but after some research online i've discovered that actually is not.
The hash 1DFECA0C002AE40B8619ECF94819CC1B is identified as an NTLM hash based on its length and format:
🔍 Why It's NTLM:
Length:
NTLM hashes are 32 hexadecimal characters long (128 bits).
This hash is exactly 32 characters: ✅
Hexadecimal Format:
NTLM hashes are represented in uppercase hexadecimal (0–9, A–F).
This hash fits that pattern: ✅
No Salt:
NTLM hashes are unsalted, meaning the same password always produces the same hash.
This hash doesn't include a salt or any prefix: ✅
Ok so module -m 1000 for NTLM in hashcat right? Actually i've got also Crackstation that still works for us ;)
Second answer, done: n63umy8lkf4i
🔐 3. Hash:
$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.
Format: $6$ indicates SHA-512 crypt (used in Linux /etc/shadow)
Salt: aReallyHardSalt
We will use another tool this time that is called John The Ripper since i don't know, hashcat after rebooting the AttackBox into a new session doesn't work anymore :/
Using the file mentioned previously, hash.txt, we have to copy and paste this hash and prepare the command for john the ripper that looks like this:
john --format=sha512crypt -wordlist=/usr/share/wordlists/rockyou.txt hash.txt
It will take some time to run, a long time, but won't crash i'll promise!
Manage to score the decrypted word waka99 after 20 mins-ish, grab the word and onto the next and final hash!
🔐 4. Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme
Ok, there is a hint, since we're running out of time we need a quick win here...
Alright, this means the original message (e.g., a password or token) was hashed using HMAC-SHA1 with the key "tryhackme", and the result was the SHA-1 hash shown. The structure will have <key>:<salt> format, we will adapt to this pattern our hash + the "tryhackme" salt at the end.
e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme
Nano that into the hash.txt file and we will now adapt the john command line to achieve this last decryption.
WAIT!
John doesn't support that and yes, you'll see the final answer here! I came across this website since i was googling weird behaviours i was getting from the terminal. Anyway, i want to crack it by myself. This screen i'll save for later to do double-checks. So, back to hashcat then, after re-installing amd drivers and other forums looked to get back to work, i'll share my command to crack it.
hashcat -a 0 -m 160 <hash:salt> /usr/share/wordlists/rockyou.txt
Let it run and it will find the answer, 481616481616
Conclusion
"Crack the Hash" is a fantastic room to practice real-world hash cracking techniques. It teaches you how to think like an attacker and gives you hands-on experience with industry-standard tools.
If you enjoyed this walkthrough or have questions, drop a comment below or connect with me on TryHackMe.
Happy hacking! 🧑💻💥