Description
I met Willow a few years ago, and she helped me with some things at recruitment.camp. To speed up our communication, I gave her an email at recruitment.camp. But I had to learn how to create a professional email address, especially Willow didn’t want to have a dot in the email address.
Her email is the password to the file below (Download file).
Hint: Don’t let bounce, disposable, spam-trap and deactivated emails decrease your sending reputation.
Note: Do not contact Willow or the owner (me) of recruitment.camp via email or contact form on the site! Be a sourcer, the hint is enough. Spamming will get your IP blocked.
Veuillez ne pas jouer à ces jeux, si vous ne pouvez pas suivre les règles simples ci-dessus!
Instructions
Find the e-mail address and open the file containing the password for next level.
Solution
The file is a .docx file. I opened it with LibreOffice Writer and it password protected. Based on the description, the password is Willow’s email address. So, I need to find her email address.
We can click the Willow name in the description and it will open her LinkedIn profile. I found her full name is “Willow Horton”.
When I click the Contact Info button, There is no email address.
Based on the hint, Willow’s email address is at recruitment.camp domain. Also you can confirm it by visiting the company’s Terms of Service
page. It’s mentioned that the company’s email address is support AT recruitment DOT camp.
So, we can use search engine like Google to find her email address. I used the following search query:
"Willow Horton" email site:recruitment.camp
But it didn’t return any result.
Google Dorking
Based on my experience, there are some common email address formats used by companies. Such as:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
5. [email protected]
6. [email protected]
etc.
Example:
1. [email protected]
2. [email protected]
3. [email protected]
4. [email protected]
5. [email protected]
6. [email protected]
etc.
To automate the process, we can use a tool like Email Permutator+
. Enter the first name and last name, and the domain name and click Permutate button. It will generate the email address permutations.
Result:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
There are 34 emails generated by the tool
After that we can verify the email address using a tool like email address verification tool
from Email Hippo
. Enter the email address and click GO button. It will check if the email address is valid or not. But, skip the email that contains dot (.) in the email address. Because the description mentioned that Willow didn’t want to have a dot in the email address.
“But I had to learn how to create a professional email address, especially Willow didn’t want to have a dot in the email address.”
After inputting some email addresses, I found the valid email address. Which is [email protected].
The Hacker’s Way
You can also use some brute force tools to find the password, such as John the Ripper , hashcat , etc. So you don’t need to verify the email address one by one.
In this case, I used Hashcat to crack the password. I don’t know when using John the Ripper the cracking process is failed with the error message No password hashes loaded (see FAQ). The command I used is:
john --wordlist=email.txt hash.txt
Because of that, I used Hashcat instead.
To crack the password using Hashcat, we need to do the following steps:
Copy the generated email addresses to a text file. Example:
email.txtGet the hash of the
.docxfile usingoffice2john.pyscript from John the Ripper. You can download the script from here . The command is:python office2john.py willow.docx > hash.txt*The
hash.txtfile will contain the hash of the.docxfile.
But, Hashcat can’t crack the hash directly. We need to modify it a bit. To do this, all we need to do is delete the string
willow.docx:in front of the hash so that the hash looks like this:$office$*2013*100000*256*16*2eeab931fa9e5ff11ccdb3f914b94097*16924192d4df74f4ef0182357c4ae292*84fa257b4baa1e107b9c0368bc0b711e6d6905048a5b4e1ec7ec1a16284176ffCrack the hash using Hashcat. The command is:
hashcat -a 0 -m 9600 hash.txt email.txt-a 0is the attack mode. It’s a straight mode.-m 9600is the hash type. It’s for MS Office 2013 files.
Hash Modes from
hashcat --help
After the process is finished, we can see the password. Which is
[email protected].
I used the email address as the password to open the .docx file and we can see the actual password of the challenge:
Flag/Password
Show
sourcingfun
References
- John the Ripper Documentation
- Hashcat Documentation
- Password Cracking - Cracking MS Word .docx lab from AttackDefense Labs
- How To Access Password Protected Microsoft Files
- Extracting Hash from Password Protected Microsoft Office Files
- 12 OSINT Resources For E-mail Addresses
- OSINT - Simple tips #5 - Email addresses
- Discovering Hidden Email Gateways with OSINT Techniques
- It’s a Match! Combining Tools & Methods for Email Verification