## Open-Source Intelligence/A Harsh Reality of Passwords (28 solves)  
Created by: `Lychi`  
> Recently, Iris's company had a breach. Her password's hash has been exposed.
> This challenge is focused on understanding Iris as a person. The flag format
> is irisctf{plaintextPassword}. Hash:
> `$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC`

Hint Given:  
> Focus on Iris and what she finds important!  
There are three words (not letters, but words), and a certain amount of
numbers following it  
There's no leet words, proper capitalization nothing like (ExAmPLE), no
special characters as well like -,! etc.

We start with a hash
(`$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC`) that is a
`bcrypt $2*$, Blowfish (Unix)` hash.

We know we need to use 3 words, and some numbers following it. A few posts are
of interest for our password.

Firstly, the one about her Mum.

![Mimosas](https://seall.dev/images/ctfs/irisctf2024/pb_3.png)

We can see that she calls her Mothers birthday a 'very important date', I
think those are our numbers.

![Tiramisu](https://seall.dev/images/ctfs/irisctf2024/ahrop_1.png)

Here, she expresses her 'obsession' with Tiramisu, thats going on the
wordlist.

![Portofino](https://seall.dev/images/ctfs/irisctf2024/ahrop_2.png)

In this post she talks about a specific place in Italy, Portofino.

She expresses in a few other posts some places she's been, things she likes,
etc. In the end I construct the following list of words from posts and who
they follow.

```  
netherland  
italy  
berlin  
tiramisu  
czechia  
mimosa  
portofino  
swan  
swarovski  
crystal  
starbuck  
milan  
conte  
ugolino  
sunrise  
sunset  
karadenizli  
maceraci  
iris  
stein  
station  
elaina  
lenox  
hill  
hospital  
food  
traveling  
sunny  
sanfrancisco  
```

I then write a Python script to generate all our combinations and appropriate
'variants' (eg. portofino = Portofino,portofinos,Portofinos,portofino), and
the date at the end is following a mmddyyyy format (due to the organisers
being mainly from the US).

We have to consider that when people use dates in passwords they are not
always going to use a perfect format with 0's, so there are possibilities.

```python  
numbers=['481965','0481965','04081965','4081965']  
import os

c=0  
with open('wordlistfinal.txt','w') as ff:  
with open('words.txt','r') as f:  
data=f.readlines()  
newdata=[]  
for x in data:  
newdata.append(x.title())  
newdata.append(x.title()+'s')  
newdata.append(x+'s')  
newdata.append(x)  
data=newdata  
for x in data:  
for y in data:  
for z in data:  
for n in numbers:  
pw=x.replace('\n','')+y.replace('\n','')+z.replace('\n','')+n  
ff.write(pw+'\n')  
c+=1  
print(f'Found {c} new passwords.')  
```

```  
$ python3 wordgen.py  
Found 6243584 new passwords.  
```

Now we wait, and crack with hashcat, until we get a hit!

```  
$ hashcat -m 3200 hash wordlist.txt  
...  
$2b$04$DkQOnBXHNLw2cnsmSEdM0uyN3NHLUb9I5IIUF3akpLwoy7dlhgyEC:PortofinoItalyTiramisu0481965  
```

There's our password, and therefore our flag!
`irisctf{PortofinoItalyTiramisu0481965}`

**Files:** None provided :(

Original writeup (https://seall.dev/posts/irisctf2024/#open-source-
intelligencea-harsh-reality-of-passwords-28-solves).