← All Writeups

TryHackMe — Crack the Hash

TryHackMe Crypto Easy June 6, 2026
hash-crackinghashcatmd5sha1sha256bcryptntlmrockyou

A two-level hash cracking challenge covering MD5, SHA-1, SHA-256, bcrypt, NTLM, and salted variants — using online tools for the simple ones and Hashcat with rockyou.txt for the rest.

Introduction

Hash cracking is the process of recovering a plaintext value from its hashed representation. It’s a core skill in CTFs and real-world assessments — password dumps, leaked databases, and forgotten credentials all share one thing: they’re almost always hashed, and that hash is only as strong as the algorithm and the password behind it.

This room — Crack the Hash — has two levels. Level 1 tests whether you can identify hash types and crack common passwords using online tools. Level 2 introduces salted hashes and weaker algorithms that require local cracking with Hashcat and a wordlist.


Identifying Hash Types

Before cracking anything, you need to know what you’re dealing with. Hash algorithms produce fixed-length outputs, and that length — combined with any prefix format — tells you most of what you need.

AlgorithmOutput LengthHashcat ModeNotes
MD532 hex chars-m 0Most common, least secure
MD432 hex chars-m 900Often misidentified as MD5
NTLM32 hex chars-m 1000Windows password hashes
SHA-140 hex chars-m 100Deprecated but still common
SHA-1 + salt40 hex chars-m 110sha1($pass.$salt)
SHA-25664 hex chars-m 1400Current standard
SHA-512cryptStarts with $6$-m 1800Linux /etc/shadow format
bcryptStarts with $2y$ or $2b$-m 3200Adaptive, intentionally slow

When format alone isn’t enough, hash-identifier (Linux) or Hashcat’s example hashes page are the fastest references.

# Install and run hash-identifier
sudo apt install hash-identifier
hash-identifier

Paste the hash in and it will rank the most likely algorithm. For anything with a $ prefix, the format is self-describing. NTLM is the most common trap — it produces 32 hex chars like MD5 and MD4, but requires its own Hashcat mode and won’t crack under -m 0.

GPU vs CPU: Hashcat runs dramatically faster on a GPU (-D 2). If you’re on a VM (TryHackMe AttackBox, Kali in VirtualBox), you won’t have GPU access — Hashcat will fall back to CPU. For most Level 1 hashes this won’t matter, but bcrypt and SHA-512crypt are orders of magnitude slower without GPU acceleration.


Level 1

Level 1 hashes are all unsalted and map to common passwords. An online lookup service like CrackStation or hashes.com will resolve most of them instantly — they compare your hash against pre-computed rainbow tables of billions of known passwords.


Hash 1 — MD5

48bb6e862e54f2a795ffc4e541caed4d

32 hex characters → MD5.

CrackStation finds this immediately. The plaintext is easy — as advertised.

MD5 was designed in 1992 and is completely broken for security purposes. It’s still everywhere in legacy systems, which is why cracking it is trivially fast.


Hash 2 — SHA-1

CBFDAC6008F9CAB4083784CBD1874F76618D2A97

40 hex characters → SHA-1.

Also found instantly via CrackStation. Plaintext: password123.

SHA-1 has been cryptographically broken since 2017 (full collision demonstrated). Like MD5, it’s fast to compute which makes brute-force and rainbow table attacks practical.


Hash 3 — SHA-256

1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032

64 hex characters → SHA-256.

Plaintext: letmein. Still crackable via CrackStation because letmein is one of the most common passwords in existence — it’s in every major wordlist and therefore every rainbow table.

SHA-256 is secure as an algorithm. The weakness here is the password, not the hash.


Hash 4 — bcrypt

$2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom

The $2y$ prefix identifies this as bcrypt. The 12 is the cost factor — each increment doubles the computation time. At cost 12, a single hash takes roughly 250ms to compute, which means an attacker testing one million passwords needs weeks on consumer hardware.

CrackStation will not help here — bcrypt was specifically designed to defeat rainbow tables (it includes a per-hash salt) and to be slow (so bulk cracking is impractical).

For a short password against a known wordlist, Hashcat can still find it:

hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: bleh. bcrypt’s protection comes from slowing down the attacker, not from hiding the password — short or common passwords are still vulnerable, just slower to find.


Hash 5 — MD4

279412f945939ba78ce0758d3fd83daa

32 hex characters — looks like MD5, but CrackStation doesn’t find it under MD5. Running it through hash-identifier flags it as MD4, the predecessor to MD5 (even weaker, almost never used in modern systems).

Try hashes.com with MD4 selected, or crack it locally:

hashcat -m 900 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: Eternity22.

The lesson: two hashes can be the same length but different algorithms. If an online tool returns nothing, try a different algorithm — don’t assume the tool tried all of them.


Level 2

Level 2 raises the bar. All answers come from rockyou.txt, but online rainbow tables won’t help — these hashes are either from algorithms with no public lookup tables (NTLM, SHA-512crypt) or are salted. You’ll need Hashcat running locally.

Save each hash to a file before running the commands below.


Hash 1 — SHA-256

F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85

64 hex chars → SHA-256. Hashcat mode -m 1400.

echo "F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85" > hash.txt
hashcat -m 1400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: paule. A name, short, directly in rockyou — cracks in seconds.


Hash 2 — NTLM

1DFECA0C002AE40B8619ECF94819CC1B

32 hex chars that CrackStation doesn’t recognise → NTLM (Windows NT LAN Manager hash). NTLM uses MD4 internally but with a different encoding that rainbow tables for plain MD5/MD4 won’t match.

Hashcat mode -m 1000.

echo "1DFECA0C002AE40B8619ECF94819CC1B" > hash.txt
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: n63umy8lkf4i. A seemingly random string — but it’s in rockyou.txt, which is why the challenge tells you to use it.

NTLM hashes are what you extract from Windows systems using tools like Mimikatz or from SAM database dumps. Cracking them is a staple of post-exploitation.


Hash 3 — SHA-512crypt (Salted)

$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.

The $6$ prefix is SHA-512crypt — the format used in Linux /etc/shadow files. The salt (aReallyHardSalt) is embedded in the hash string itself, between the second and third $.

Hashcat mode -m 1800. The full hash string (including the salt) goes directly into the hash file — Hashcat parses the salt out automatically.

echo '$6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02.' > hash.txt
hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: waka99.

Use single quotes around the hash string to prevent the shell from interpreting the $ signs as variable expansions.


Hash 4 — HMAC-SHA1 (Salted)

e5d8870e5bdd26602cab8dbe07a942c8669e56d6
Salt: tryhackme

40 hex chars → SHA-1 family. The provided salt means this is a salted SHA-1 variant. Hashcat’s mode -m 110 handles sha1($pass.$salt). The hash file uses a colon separator: hash:salt.

echo "e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme" > hash.txt
hashcat -m 110 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Plaintext: 481616481616.

If mode 110 returns nothing, try mode 120 (sha1($salt.$pass)) — the order of concatenation changes the output hash entirely, and the challenge may use either.


Conclusion

Hash cracking follows a simple decision tree: identify the algorithm, check whether it’s salted, then choose your tool accordingly.

Online tools (CrackStation, hashes.com) are fast for unsalted MD5, SHA-1, and SHA-256 against common passwords — use them first. They fail against salted hashes (the salt breaks rainbow table lookups) and against bcrypt (designed to be too slow for bulk lookup).

Hashcat handles everything else. The critical skill is picking the right mode — the Hashcat example hashes page is the fastest reference for matching a format to a mode number.

Key takeaways:

  • Hash length alone doesn’t identify the algorithm — MD5, MD4, and NTLM all produce 32 hex characters.
  • Salts don’t make weak passwords strong; they make rainbow tables useless. Hashcat with rockyou.txt will still find short or common passwords.
  • bcrypt and SHA-512crypt are the hashes that actually slow attackers down — not because they’re uncrackable, but because each guess takes real time.
  • When a hash doesn’t crack, suspect the wrong mode before suspecting the wrong wordlist.