AUCTF 2020 – Mental Writeup


Password Format: Color-Country-Fruit

Hash: 17fbf5b2585f6aab45023af5f5250ac3

By analyzing the information provided we realized that the hash is probably a MD5 one because it is 32 characters long and hex-encoded.

Using hash-identifier on Kali Linux returns the same result:


The first thing we tried was a rainbow table attack where we compared the hash with pre-computed hashes to see if there is a match.

However, this type of attack failed:


So, we moved on and decided to brute-force the password.

We downloaded some wordlists containing a bunch of color, country and fruit names.

Here are the links to them:

Then we converted every word in those files to the title format, which means that the first letter of the words will be capitalized. You can use a website like ConvertCase to achieve that.

We also built a Python program to concatenate the words together using the format given (Color-Country-Fruit), create a MD5 hash using the string and then compare it to the given hash:

import hashlib

for color in open("colors.txt", "r"):
    color = color.strip()
    for country in open("countries.txt", "r"):
        country = country.strip()
        for fruit in open("fruit.txt", "r"):
            fruit = fruit.strip()
            passwd = "{}-{}-{}".format(color, country, fruit)
            passwd_hash = hashlib.md5(passwd.encode()).hexdigest()
            if (passwd_hash == "17fbf5b2585f6aab45023af5f5250ac3"):

If there is a match, we print the password to the screen. Simple as that:


That way we could determine the password and, consequently, the flag.

This challenge was solved by my team, ducks0ci3ty.