Given the following data from a Google document .
7b 0a 20 a0 22 65 76 e5 6e 74 22 ba 20 22 70 e1 73 73 77 ef 72 64 5f e3 68 61 6e e7 65 22 2c 8a 20 20 22 f5 73 65 72 ee 61 6d 65 a2 3a 20 22 e2 63 6f 6c ec 69 6e 22 ac 0a 20 20 a2 6f 6c 64 df 70 61 73 f3 77 6f 72 e4 22 3a 20 a2 3a 5c 78 c3 37 5c 78 c6 34 5c 6e dc 78 41 46 a9 29 37 43 dc 78 31 35 dc 78 44 30 dc 78 46 33 dc 78 44 45 e9 55 3b 22 ac 0a 20 20 a2 6e 65 77 df 70 61 73 f3 77 6f 72 e4 22 3a 20 a2 39 5c 78 c6 41 5c 78 b9 39 5c 78 c3 41 5c 78 c5 44 5c 78 c6 32 58 53 c7 5c 78 44 c4 2d 5c 78 c3 32 5c 78 b8 45 7a 48 eb 22 2c 0a a0 20 22 74 e9 6d 65 73 f4 61 6d 70 a2 3a 20 31 b5 30 31 38 b5 38 38 36 b0 30 30 30 8a 7d 0a
Check the data
$ pbpaste | xxd -r -p
Where xxd is a hexdump tool.
{ ?"ev?nt"? "p?ssw?rd_?han?e",? "?ser?ame?: "?col?in"? ?old?pas?wor?": ?:\x?7\x?4\n?xAF?)7C?x15?xD0?xF3?xDE?U;"? ?new?pas?wor?": ?9\x?A\x?9\x?A\x?D\x?2XS?\xD?-\x?2\x?EzH?", ? "t?mes?amp?: 1?018?886?000?}The data is mangled. From the Google doc description, there needs to be some bit manipulation
Save the corrupt data
$ pbpaste | xxd -r -p > corrupt_data
python script to deal with mangled bits
import sys from functools import partialwith open('corrupt_data', 'rb') as in_file:
for data in iter(partial(in_file.read, 1), b''):
x = int.from_bytes(data, byteorder='big')
sys.stdout.write((chr(x&0b01111111))) # Fix "shifted" bits
$ python3 dirty.py { "event": "password_change", "username": "bcollin", "old_password": ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;", "new_password": "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk", "timestamp": 1501858860000 }Verify the timestamp
$ date -r 1501858860 Fri Aug 4 11:01:00 AST 2017Get the hex value for the password since the current format doesn’t do us any good.
$ python >> ":\xC7\xF4\n\xAF))7C\x15\xD0\xF3\xDEiU;".encode('hex') '3ac7f40aaf2929374315d0f3de69553b' >> "9\xFA\x99\xCA\xED\xF2XSG\xDD-\xC2\x8EzHk".encode('hex') '39fa99caedf2585347dd2dc28e7a486b'Take the last hint and literally reverse as the hex encoded string
$ python >> '3ac7f40aaf2929374315d0f3de69553b'[::-1] 'b35596ed3f0d5134739292faa04f7ca3' >> '39fa99caedf2585347dd2dc28e7a486b'[::-1] 'b684a7e82cd2dd7435852fdeac99af93'The two hashes are
‘b35596ed3f0d5134739292faa04f7ca3’
‘b684a7e82cd2dd7435852fdeac99af93’
Googling for these strings yield
old_password -> b35596ed3f0d5134739292faa04f7ca3:p4ssw0rd new_password -> b684a7e82cd2dd7435852fdeac99af93:thisiscrazyCan recheck for one of the hashes, that it is indeed a md5 operation done twice
$echo -n "thisiscrazy" | md5 5990027d60d655641fb35b1e3dca9e75$ echo -n "5990027d60d655641fb35b1e3dca9e75" | md5
b684a7e82cd2dd7435852fdeac99af93
References
http://md5decoder.org/
https://crackstation.net/
https://www.ccs.neu.edu/home/cbw/static/class/5600/slides/12_Auth_and_Access.pptx