 What's going on YouTube, my name is John Hammond and we have another captions-like video to show you guys. This is some footage again from the Rough Riders CTF that I played recently. I'm gonna showcase this footage later because it just goes through me solving the challenge, but I have the challenge prompt and the material so I can kind of recreate it here for you. The challenge is kind of visible on your right side here. HSRPOMI. Crack the encrypted HRSP passphrase and the clear text passphrase is the flag. So I was given a P-CAP that I was able to download and work with and I have it saved here. I'll showcase this stuff in a second once mPlayer lets me move it away. I've got Google ready for us so we can do our research and I can showcase this file here. So I'm giving the P-CAP, right? Let's go ahead and work on this thing, HSRP.P-CAP and I'll bring Wireshark down to show you. And it's a lot of this, whatever this is. I've never heard of HRSP before. I see it as a protocol and it looks like I have a lot of packets to work with. I didn't know what to do, right? This was new to me. So I went ahead and went to Google. Let's close out of Wireshark and get back to Google here. And I Googled what is HSRP? Wikipedia told me a little bit. Okay, it looks like some Cisco technology for handling routers. And assuming from the challenge prompt there is some sort of authentication and needed to know a passphrase. So it wanted me to crack that passphrase, right? So I went to Google, let's just crack HSRP. And I found some research and some stuff talking about John and John the Ripper. It looked like there was a script at some point called HSRP to john.py. And that's a pretty common format with some extra John the Ripper technology stuff. If you need to get it in the format for John the Ripper to work with, you'll often see like a zip to John or a 7Z to John and stuff like that. And I try to look for that. I have John the actual like Magnum Ripper community edition thing, the GitHub that I pulled down and stored in my op directory because that's where I store all my tools. So I thought, okay, let's go into run. Let's try and find HSRP, but it's just not there. So I thought, man, okay, what happened to this thing? I went back to Google and I was looking around for what is HSRP to John. And the results that came back was PCAP to John. I was like, okay, was it renamed? Was it moving to something better? And it looks like, according to the get information, that is exactly what it was. Maybe they moved and merged into some simple things that will extract out a lot of different stuff. So I thought, okay, let's go ahead and try that. Do I have PCAP to John? Looks like I did. Okay. So I went ahead and ran this against that HSRP.pcap, took a little bit of time. Eventually it spat out some hashes. There we go. Cool. I didn't really do a good job of piping that to a file or redirecting it or anything. It's probably still processing, but I think that's all that we need right now. Let's go ahead and just kind of call these hashes.tex and then I'll spit these in here. And then we can use John the Ripper to go ahead and crack these, right? So opt John the Ripper and then run in the real John binary. I'll use word list, which can be on rocku.tex. I'm just going to assume we're going to do a dictionary attack, right? Maybe the passwords that we're looking for is in rocku.tex. It's a CTF, so it's got to be whatever. Let's pass in, pass in, wow, pass in hashes. And it looked like that wasn't there. Loaded two different password hashes and two different salts, et cetera, et cetera. No password hashes, password hashes left to crack. Okay, so that happened because I still had the john.pot file in where John is stored. And that kind of had the cache of those passwords that I had cracked previously. So the solution is just go ahead and remove that john.pot file. I had to locate it because I couldn't tell. Was it going to put in my home directory? Is it going to put in my directory? It is where you run John out of. So if you ever run in that issue, you can just remove it and looks like it's already gone. Cool. So we can go ahead and do this. I removed it earlier because it's testing. That's why it's already gone. So now we can just run hashes.tex with word list and we'll run through it. Looks like it cracks it pretty quickly. It finds Firebird's rule and that should be the flag that we can go ahead and submit. That's all it is. That's all it was. I'll bring down the video footage. So if you want to go ahead and see that, it's pretty much me doing the exact same thing that I just talked about and showed you how to do. Downloaded it, looked through the stuff. I ran TCP flow because that's just basic habit. There's some Katana stuff down there. I do the same research. I look around, I poke it in Wireshark. I'll kind of breeze through this stuff here. But I find the exact same article. I find the exact same information and then I do the exact same thing. I've got John the Ripper with HSRP. I grab the hashes and run it through John the Ripper. So simple stuff. You see me a moment ago. Go ahead and submit it. So there it is. Firebird's rule, correct. So that's that challenge. I guess it's kind of pretty easy to capture the flag, get the I believe button. This is the technology. This is what I need to do with it. And there we were in first place killing it. So cool. A lot of good stuff. Thank you guys for watching. If you enjoyed this video, please do like, comment, and subscribe. I'd love to see you on PayPal. I'd love to see you on Patreon. I'd love to see you in the Discord server. That's an awesome community full of CTF players, hackers, and people that are way smarter than me. It's an awesome place to be. So please come hang out. I love you guys. I'll see you in the next video.