Hello Cyber Enthusiasts, welcome to this blog. Today I will go through another CTF challenge on picoCTF called Hashcrack(This one actually came up in recent PicoCTF 2025 competition!).

Just a heads up to anyone who doesn’t know what a CTF is, it’s a challenge in which participants attempt to find text strings, called “flags”, which are secretly hidden in purposefully-vulnerable programs or websites. To sum up what I said, you will be thrown into a world of Cybersecurity challenges in which you have to deal with vulnerable programs to find flags in those challenges which look like this: flag{0h_5h1t_1_f0rg0t_4b0ut_gdb}

Prerequisites: Kali Linux Virtual Machine

Let’s dive into the question that we will be solving today.

The category of this question is Cryptography. Let’s login to the server and see the big picture:

Hmm it seems like the server wants us to wan to reverse engineer the password’s hash which can’t be done as per now. If you see one of their hints it redirects you to https://primer.picoctf.org/#_hashing webpage. If you look there carefully then you will find this:

It tells you to google rockyou (A list of commonly used passwords). This indicates us to use john the ripper to use the rockyou.txt file along with hashed password file to find out the password used accodingly.

Let’s go and rock!

Get the rockyou.txt in your VM using the wget command.

Now lets use JohnTheRipper, a command line utility tool that will help us tell which password is associated with which hash!

Now do the following to get the passoword (Note: John the ripper will not reverse engineer the hash but it will try to calculate the hash of the passwords in rockyou.txt and will print the one that is in the answer.txt file in the picture below):

Now enter the password in the server that is running and you will get another password:

Now do the following to get the original password associated with the second hash:

Now enter the password that you got to get the last password of this challenge and repeat the same process

Now enter the password that you got to get the flag:

We literally got the flag!

Some notes for this challenge:

This is how I was able to identify the type of hashes:
MD5: The length of MD5 hash is 32 characters

SHA 1: The length of SHA1 hash is 40 characters

SHA256: The length of SHA256 hash is 64 characters in length! (The longest from all three that were used in this challenge!)

Flag: picoCTF{UseStr0nG_h@shEs_&PaSswDs!_869e658e}

Thank you for reading it! I hope you enjoyed and learned!!