I came across a database while testing the other day which happily contained a table called users with the good old id, username and password fields. What made this a somewhat interesting find was the fact that the passwords appeared to be encrypted as base64.

After I stopped giggling I dumped the database and grabbed the first few hashes in an attempt to quickly script the decryption. The script ran fine although I ended up with a lot of garbled text and no plain text passwords. I decided to try decrypt these passwords using several online websites when I discovered that they were actually binary files that had be encoded with base64. I began to doubt my sanity and asked myself why anyone would have passwords stored as binary files. I mean, the log in page didn’t have a field for username and an upload box for password so what was going on?

I noticed that several of the hashes were the same and I figured that whatever was going on it was going to have something to do with these recurring ones. A google search later ended up with me on a forum reading the default password storage procedure for Ahsay Backup was to encrypt the passwords using the following process:

echo -n password | openssl dgst -md5 -binary | base64

This was great as I now knew what they were doing to store the passwords and I could start to piece together how to reverse them.

I started by looking what a MD5 in binary looked like and figured I work my way back from there.

I could see that the binary text contained the text of the hash but it was jumbled around due to the binary (little endian?) architecture. My mind started working out some way to reassemble the hashes using some lame string functions but the answer that I ended up with was way more simple.

XXD!

XX-What was my original thought but xxd is a magical little tool that outputs the results of binary in plain text for you.

After a quick peek at -help I found the following command perfect for getting back to MD5 hashes.

echo X03MO1qnZdYdgyfeuILPmQ== | base64 -d | xxd -p

This worked perfectly and I was on my way to decrypting these boys in no time.

Keep on sploiting,

norsec0de