Solved By Only 1% : Root-Me {Network} 10. POP — APOP CTF WriteUp
15 Points
Secured authentication
Author
lutzenfried, 11 November 2020
POP — APOP
Find the user password in this network frame.
SOLUTION
When we will start the challenge we will get a zip file. After we got the zip file we have to extract the file.
What is POP Protocol?
According to google,the Post Office Protocol (POP) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. POP version 3 (POP3) is the version in common use.
What is APOP Authentication?
APOP (Authenticated POP) is an extension of the standard POP3 protocol. In simple words apop is used to encrypt the username or password.
Command
unzip <filename>
After the Unzip process we will get a pcapng file which opened in wireshark.
As the name of the challenge given us a useful hint that this challenge is based on pop protocol and apop authentication.
We will use the filter option to filter out the pop packets in wireshark.
After Examining the packets we got to know that the apop authentication is used to encrypt the password. See in the second packet in the above image after bsmith. Now its time to go to the reference article we have been provided in this challenge.
According to the reference, A POP3 server which implements the APOP command will include a timestamp in its banner greeting.For example, on a UNIX implementation in which a separate UNIX process is used for each instance of a POP3 server, the syntax of the timestamp might be:
<process-ID.clock@hostname>
where ‘process-ID’ is the decimal value of the process’s
PID, clock is the decimal value of the system clock, and
hostname is the fully-qualified domain-name corresponding
to the host where the POP3 server is running.
APOP authentication uses md5 with salt to encrypt the password.
Example Of APOP Authentication
Examples:
S: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
C: APOP mrose c4c9334bac560ecc979e58001b3e22fb
S: +OK maildrop has 1 message (369 octets)
In this example, the shared secret is the string `tan-
staaf'. Hence, the MD5 algorithm is applied to the string
<1896.697170952@dbc.mtview.ca.us>tanstaaf
which produces a digest value of
c4c9334bac560ecc979e58001b3e22fb
Now we know that the salt in this challenge is <1755.1.5f403625.BcWGgpKzUPRC8vscWn0wuA==@vps-7e2f5a72>
And we also know the hash of the password+salt is 4ddd4137b84ff2db7291b568289717f0
Now we will hashcat Tool to crack the password
Hashcat Command
hashcat -a 0 -m 20 <hashfile_name.txt> <wordlist.txt>
- a = Attack mode
- -m = Hash Type
- I used rockyou.txt wordlist
To save the hash_name.txt in right way Read this article Examples hashes.