Statement: Someone was able to successfully break into the admin account!

Do you know what the old password was?

Flag format: The password, case insensitive

The challenge provides a JSON file containing logs.

These logs and scenarios are designed to be real-ish, they’re simpler and given that the entire data set covers 1hr all malicious activity is conducted on a condensed time frame.

Searching in the logs, I find a log generated by the webmail indicating that the password for the account has been changed:

    "_time": "2021-01-01T09:26:52.000+0000",
    "sender": "",
    "recipient": "",
    "direction": "Outgoing",
    "outcome": "Unknown",
    "subject": "Your Password Has Been Changed",
    "attachments": "null",
    "logSource": "Webmail"

I notice that at the same timestamp, a URL with a base64 encoding is generated:

    "_time": "2021-01-01T09:26:52.000+0000",
    "origin": "",
    "site": "",
    "method": "GET",
    "referer": "",
    "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.36 Safari/537.36",
    "url": "",
    "logSource": "Http:Web"

I decode the string encoded in base64:

echo "M2RjOTE5ZGUxODZkMWE4ZWU2MmZmZjkyZDgwODM5Zjc6NmQ3YzViM2U3OTZkODMzYjNmZGQ0MGY0Y2U1N2ZhY2Q=" | base64 -d

We get the following string corresponding to two MD5 hashes in the format oldpassword:newpassword:


I couldn’t get the password value by dictionary attack or bruteforce with hashcat, so I used an online tool.

Flag: ozzieozzieozzie