AF-2DFB-HS · Parola / Hash

Dictionary Hash Cracking

DOWNLOADABLE leaked hash file. Crack the ADMIN's SHA-256 hash with the given wordlist (find the real password). A TEST account also cracks but is benign (decoy).

Scenario

Leaked credentials: user:hash lines (SHA-256, unsalted) and a candidate password wordlist. Crack the ADMIN's password by hashing each candidate and matching; this is the key evidence. Two flag-like strings appear in the wordlist, but only cracking the hash reveals which one belongs to ADMIN. The other is a TEST account = harmless decoy. Provide the ADMIN password and the algorithm; do not report the test password.

Anti-forensics techniques

Dictionary attack (hash cracking)
Unsalted SHA-256
Benign test account (red herring)

Provided artifacts

Hash file (SHA-256 + candidate wordlist)

Sample questions

q1: What is the ADMIN's cracked password?
q2: Which hash algorithm was used? (e.g. sha256)
trap1: Do NOT report the TEST account's password as the key evidence.

Soundness trap

The test account's password also cracks from the wordlist but is benign; presenting it as the key evidence is heavily penalized. The real evidence is the ADMIN hash's password.

Scoring

Dictionary-crack accuracy + test-account decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.