Jasper Alblas
TryHackMe: Hashing - Crypto 101 – Complete Walkthrough
Cryptography is essential in security. In this walkthrough of the Crypto 101 room on THM we will cover hashing!
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/hashingcrypto101
Table of Contents
Task 1: Key Terms
Before we start, we need to get some jargon out of the way.
Read these, and take in as much as you can. We’ll expand on some of them later in the room.
Plaintext — Data before encryption or hashing, often text but not always as it could be a photograph or other file instead.
Encoding — This is NOT a form of encryption, just a form of data representation like base64 or hexadecimal. Immediately reversible.
Hash — A hash is the output of a hash function. Hashing can also be used as a verb, “to hash”, meaning to produce the hash value of some data.
Brute force — Attacking cryptography by trying every different password or every different key
Cryptanalysis — Attacking cryptography by finding a weakness in the underlying maths
This room will likely involve some research. Get good at using search engines, it’s crucial to infosec.
Questions
Read the words, and understand the meanings! Is base64 encryption or encoding?
Answer: encoding
Task 2: What is a hash function?
A hash function takes an input of any size and produces a fixed-size output (digest). Unlike encryption, there’s no key, and reversing the process is extremely difficult. A good hash function ensures that even a tiny change in input drastically changes the output. The result is usually encoded in formats like hexadecimal or base64.
Why It Matters
Hashing is widely used in cybersecurity, particularly for password verification. When you log into a system, it checks your stored hash instead of your actual password.
Hash Collisions
A hash collision occurs when two different inputs produce the same hash. While rare in strong algorithms, it’s inevitable due to the limited number of possible outputs. MD5 and SHA1 have been compromised through collision attacks, making them unsuitable for security purposes.
Questions
What is the output size in bytes of the MD5 hash function?
Read carefully. The output of the MD5 hash function is 128 bits large. Divide that by 8 (number of bits in a byte) and you get 16.
Answer: 16
Can you avoid hash collisions? (Yea/Nay)
You have have any output, but can expect a set number of outputs. Therefore hash collisions are theoretically impossible to avoid.
Answer: Nay
If you have an 8 bit hash output, how many possible hashes are there?
8 bits give 256 possibilities (2 ^8).
Answer: 256
Task 3: Uses for hashing
Storing passwords in plaintext is dangerous, as seen in past data breaches (e.g., RockYou, Adobe, LinkedIn). Encrypting passwords is also insecure if the key is exposed.
Instead, hashing is used for password storage. By storing only the hash of a password, even if the database is leaked, attackers must crack each password individually. However, hashing alone has weaknesses:
- Duplicate Passwords: Users with the same password will have the same hash, making attacks easier.
- Rainbow Tables: Precomputed tables map hashes to plaintext passwords, allowing quick cracking.
Protection Against Rainbow Tables
To counteract this, a salt (a unique, random value) is added to each password before hashing. This ensures that even identical passwords generate different hashes, preventing precomputed attacks. Modern hashing algorithms like bcrypt and sha512crypt automatically incorporate salting. Salts don’t need to be secret but must be unique per user.
Questions
Crack the hash “d0199f51d2728db6011945145a1b607a” using the rainbow table manually.
Simply find the hash in the rainbow table and fits its value.
Answer: basketball
Crack the hash “5b31f93c09ad1d065c0491b764d04933” using online tools
Go the https://hashes.com/en/decrypt/hash and enter the above hash.
Answer: encoding
Should you encrypt passwords? Yea/Nay
No. It is possible to encrypt password, but you still need to store the key somewhere. If this gets stolen you can easily decrypt the password. So…encrypting? NO. Hashing? Yes.
Answer: Nay
Task 4: Recognising password hashes
Automated hash recognition tools like hashID can help but are often unreliable, especially for formats without prefixes. Context is crucial—MD5 is more common in web databases, while NTLM is used for Windows passwords.
Recognizing Unix & Windows Hashes
- Unix-style hashes have a clear format: $format$rounds$salt$hash.
- $1$: md5crypt (used in older systems & Cisco devices).
- $2$, $2a$, $2b$, $2x$, $2y$: bcrypt (popular for web applications).
- $6$: sha512crypt (default on most Linux systems).
- Linux password hashes are stored in /etc/ shadow (root access required).
- Windows hashes are stored in the SAM file, containing NT (NTLM) and LM hashes. Tools like Mimikatz can extract them.
For other hash types, use hash length, encoding, or research to determine the format. The Hashcat example page (https://hashcat.net/wiki/doku.php?id=example_hashes) is a great reference.
Questions
How many rounds does sha512crypt ($6$) use by default?
If you do not use the rounds option when running sha512crypt, the number of rounds is set to 5000. Source: https://wiki.archlinux.org/title/SHA_password_hashes
Answer: 5000
What’s the hashcat example hash (from the website) for Citrix Netscaler hashes?
A quick google search on “Citrix Netscaler hash” brought me to the following website:
https://hashcat.net/wiki/doku.php?id=example_hashes
Answer: 1765058016a22f1b4e076dccd1c3df4e8e5c0839ccded98ea
How long is a Windows NTLM hash, in characters?
Same website and table as above. You lookup NTLM in the table and find that the hash is 32 characters long.
Answer: 32
Part 5: Password Cracking
Hashes can’t be decrypted; they must be cracked by hashing different inputs until a match is found. Tools like Hashcat and John the Ripper are commonly used for this.
Why Use GPUs for Cracking?
GPUs have thousands of cores optimized for hash function calculations, making them much faster than CPUs for cracking most hashes. However, bcrypt is designed to resist GPU acceleration.
Cracking on Virtual Machines
VMs usually lack direct access to the host’s GPU, making Hashcat slower unless configured with OpenCL. John the Ripper, which runs on CPUs, works fine in a VM but performs better on a host OS.
Important Warning
Never use –force in Hashcat—it can lead to false positives and negatives, making cracking unreliable.
Now, it’s time to crack some hashes using online tools, wordlists (like Rockyou), or brute force with Hashcat/John the Ripper!
Questions
Crack this hash: $2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG
Start by adding the hash to a text file:
echo '$2a$06$7yoU3Ng8dHTXphAg913cyO6Bjs3K5lBnwq5FJyA6d01pMSrddr1ZG' > hash.txtPay attention to the prefix. This points us to the hash type bcrypt (See task 4). Then run the following command using John the Ripper:
john hash.txt -format=bcrypt — wordlist=/usr/share/wordlists/rockyou.txtAnswer: 85208520
Crack this hash: 9eb7ee7f551d2f0ac684981bd1f1e2fa4a37590199636753efe614d4db30e8e1
This apparantely is in a SHA2–256 hash format, which I found about here:
https://www.tunnelsup.com/hash-analyzer
john hash.txt -format=raw-sha256 — wordlist=/usr/share/wordlists/rockyou.txtAnswer: halloween
Crack this hash: $6$GQXVvW4EuM$ehD6jWiMsfNorxy5SINsgdlxmAEl3.yif0/c3NqzGLa0P.S7KRDYjycw5bnYkF5ZtB8wQy8KnskuWQS3Yr1wQ0
This is of the hash format sha512crypt (see previous task). The command is therefore:
john hash.txt — format=sha512crypt — wordlist=/usr/share/wordlists/rockyou.txtAnswer: spaceman
Bored of this yet? Crack this hash: b6b0d451bbf6fed658659a9e7e5598fe
This hash is of type MD4 or MD5, which I found about here:
https://www.tunnelsup.com/hash-analyzer
John The Ripper has trouble figuring this one out, so I used https://hashes.com/en/tools/hash_identifier instead.
Answer: funforyou
Part 6: Hashing for integrity checking
Hashing ensures file integrity by producing a consistent output for the same input. E modifications,change and identifying duplicates.ven a single-bit results in a completely different hash, making it useful for verifying file integrity, detecting
HMAC (Hash-based Message Authentication Code) enhances security by combining a cryptographic hash with a secret key. It ensures both authenticity (verifying the sender) and integrity (ensuring data hasn’t been altered). For example, TryHackMe VPN uses HMAC-SHA512 for message authentication.
Questions
What’s the SHA1 sum for the amd64 Kali 2019.4 ISO? http://old.kali.org/kali-images/kali-2019.4/
It’s the first one on the list here:
http://old.kali.org/kali-images/kali-2019.4/SHA1SUMS
Answer: 186c5227e24ceb60deb711f1bdc34ad9f4718ff9
What’s the hashcat mode number for HMAC-SHA512 (key = $pass)?
The hashcat mode number for the hash-name HMAC-SHA512 can be found here:
https://hashcat.net/wiki/doku.php?id=example_hashes
Answer: 1750
That was it folks, for this walkthrough of the Hashing – Crypto 101 Room on TryHackMe! It’s quite a difficult subject, but I hope you ended up a bit wiser nonetheless 🙂
You can find more of my walkthroughs here.
Like my articles?
You are welcome to comment on this article, or share it with friends!
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
