I came across this hash from a buddy today. (066bae9070a9a95b3e03019db131cd40)
Anyway the hash comes up in articles such as this.
It claims the exploit uses a “hardcoded password NKDebug12#$%” I tried running hashcat against this hash and it is not cracking it, something is off here lol.
hashcat -a 0 -m 0 hash.txt dict.txt –force
I’ve also tried -m 2400 and -m 2410
Now according to this article this credential uses some weird encoding? But I think this is specific to what is seen in his exploit, but i’m not sure.
A few notes on the “hashing” of the password, before we go any further. On these, in the config file, you will find a variable named PASSWD followed by an md5 hash. This md5 hash is md5($password.$auth_key), where the auth_key is a static value you can find by doing a GET / and parsing. There is a seemingly common one that I hardcoded into the RCE exploit as a fallback incase the page parser bullshit regex fails.
Yeah I just don’t understand this lol.