Swamp CTF 2025 - Crypto - Rock my Password Walkthrough
- Akshay Jain
- Apr 1
- 2 min read
Swamp CTF 2025 Crypto Challenge: Rock my Password
Description:
I've come up with an extremely secure(tm) way to store my password, no one will be able to reverse it! I've hashed it with md5 100 times, then sha256 100 times, then sha512 100 times! There's no way you're going to be able to undo it >:3 I'll even tell you it was in the RockYou database, and the password is 10 characters long, that's how confident I am!
The flag is in the format: swampCTF{RockYouPassword}
Hashed Password (Flag): f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc
Note: The entire flag (swampCTF{rockyoupassword}) was hashed to get the provided hash, not just rockyoupassword
Walkthrough:
The challenge description gives a clear blueprint for our approach:
Extract passwords from the RockYou wordlist of length 10.
Wrap each password in the given flag format (swampCTF{password}) before hashing.
Apply the exact hashing process described:
MD5 (100 times)
SHA-256 (100 times)
SHA-512 (100 times)
Compare the final hash to the given one.
If a match is found, print the flag.
Since we know both the password format and final hash, the task is straightforward - just a matter of iterating through potential passwords efficiently.
Here is the Python script that automates the process:
import hashlib
# Given final hashed flag
target_hash = "f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc"
# Path to RockYou wordlist (ensure it's available)
rockyou_path = "rockyou.txt"
# Function to perform the multi-hashing process
def multi_hash(password):
# Format the full flag string
flag = f"swampCTF{{{password}}}".encode()
# Hash 100 times with MD5
for _ in range(100):
flag = hashlib.md5(flag).digest()
# Hash 100 times with SHA-256
for _ in range(100):
flag = hashlib.sha256(flag).digest()
# Hash 100 times with SHA-512
for _ in range(100):
flag = hashlib.sha512(flag).digest()
# Return the final hash in hexadecimal format
return flag.hex()
# Open and read the RockYou wordlist
with open(rockyou_path, "r", encoding="latin-1") as file:
for line in file:
password = line.strip()
if len(password) == 10: # We know the password length is 10
if multi_hash(password) == target_hash:
print(f"Flag found: swampCTF{{{password}}}")
breakHow It Works:
Reads passwords from the RockYou wordlist.
For each password:
Wraps it in swampCTF{} to match the original flag format.
Hashes it 100 times with MD5, 100 times with SHA-256, and 100 times with SHA-512.
Compares the final hash to the given one.
If a match is found, prints the flag.
Running the script successfully recovers the original password within a few seconds (depending on system performance and wordlist size).
Upon execution, the output reveals the flag:
That’s it for this CTF write-up! I hope you found this walkthrough insightful and enjoyable. If you have any thoughts, feel free to share them in the comments. Would you like to see more CTF challenges broken down like this?
Join the community forum to connect with fellow cybersecurity enthusiasts, form teams, and participate in upcoming CTF events!
- AJ
Let me know if you would like me to upload all these files in a github repository for a much easier access! Feel free to browse through my Github profile and follow if you like what you see! https://github.com/akshayjain-1