So I recently came upon an old database dump that I wanted to extract user details from. The passwords were either hashed or encrypted, at the time I couldn't tell.
One password would look like this.
Code: Select all
0x72536e68474a306d656a753641694f3632354a2b52413d3d
There was one important clue in the database however. There was a column in the users table called "encryption_type" which was set to "mcrypt" on every row. At this point I could simply assume that the format indeed was mcrypt. And since hashid didn't give me anything useful I continued with that assumption. The application where the dump came from was written in PHP and the mcrypt function there is dead and gone since a while back, so solving this riddle required me to install an older version of Linux, Ubuntu 14.04 to be more precise. The format of the string didn't quite add up however and if you look at the last two hex values you can see that they are both 3d.
0x72536e68474a306d656a753641694f3632354a2b5241
3d3d
They are equal signs, which means the format is most likely Base64. So converting the string to ASCII gave me a Base64 encoded string.
Now to decrypt this I also noticed in the target application that it was not "just" MCRYPT, it was a hacky "I can implement this shit myself" version of an encryption function that uses MCRYPT, so I had to take snippets of code from the original application to build a tool that could decrypt the info. Luckily the decryption key was already hardcoded in the same file where I found the the code.
This story is rather short, but I actually spent hours on figuring out the format since I didn't notice the Base64 format at first.
In the end I did solve it and decrypted the ~50k passwords
.
Code: Select all
root@ubuntu:/home/user# php test.php
tittimaus
So I lost a few hours of my life but gained quite a large haul of passwords for my wordlists