What is up with this hardcoded credential?

I came across this hash from a buddy today. (066bae9070a9a95b3e03019db131cd40)

Anyway the hash comes up in articles such as this.

It claims the exploit uses a “hardcoded password NKDebug12#$%” I tried running hashcat against this hash and it is not cracking it, something is off here lol.

hashcat -a 0 -m 0 hash.txt dict.txt –force

I’ve also tried -m 2400 and -m 2410

Now according to this article this credential uses some weird encoding? But I think this is specific to what is seen in his exploit, but i’m not sure.

A few notes on the “hashing” of the password, before we go any further. On these, in the config file, you will find a variable named PASSWD followed by an md5 hash. This md5 hash is md5($password.$auth_key), where the auth_key is a static value you can find by doing a GET / and parsing. There is a seemingly common one that I hardcoded into the RCE exploit as a fallback incase the page parser bullshit regex fails.

Yeah I just don’t understand this lol.

submitted by /u/realKevinNash
[link] [comments]

February 19, 2021