KoreLogic's Password Cracking Contest

Team Hashcat Has Won Crack Me If You Can 2017!

Several teams have completed CMIYC 2017. Here's the top teams and when we received their proof of beating the final challenge, all times US/Eastern:

Team Final Submission
hashcat 2017-09-23 03:17
CynoSure Prime 2017-09-23 08:21
John Users 2017-09-23 12:07
Of course, the contest is still active and you can keep going.

Click here to get started

Challenge 1 gets you started on a path. Follow the path. There are a few tricks along the way. Crack smarter, not faster.

The annual password cracking contest "Crack Me If You Can" returns in 2017 with a visit to DerbyCon! CMIYC is the premier annual password cracking contest usually run at DEFCON. Compete online in a 50 hour password cracking contest against the best password crackers in the world. KoreLogic has changed the rules this year, and this year's challenge is less of a point-war, and more of a string of challenges with the goal being the first time to the end, wins! The contest will be online "forever" so you can play along at a later time, to see how long it takes you to finish.

What: The premier annual password cracking contest sponsored by KoreLogic.

Where: DerbyCon - Louisville KY USA

When: The main contest lasts 50 hours:

Friday Sept 22nd 9AM (EST) - Sunday Sept 24th - 11AM

Who: Any one can play. Teams of people will do best. There is no requirement to have a member present at DerbyCon.

Why: To help push the envelope of password cracking techniques / methodologies and to challenge all password crackers at their skill.

Winning: The first team to complete the final stage is the winner.

A winning team (if applicable) will be announced at closing ceremonies at DerbyCon 2017 at 2pm EST. (It will be live streamed).

Updates: Watch @CrackMeIfYouCan for updates.

Rules: This year's contest will be different than previous years. This year, at 9AM (EST) on Friday, a URL will be announced via Twitter and this web-site. The team's goals are to follow the instructions on that and subsequent URLs The first set of hashes will lead you on a series of steps that will eventually lead to the "final" page. The first team that reaches the final goal and follows the instructions on the final page, wins.

This contest is web-site based. Meaning, the hashes will crack to a list of sites/URLs/hints that will lead you to the next step of the contest. Before you even ask, no, you can't run 'dirbuster' on the website in order to find the correct directories. The contest server makes heavy use of Fail2Ban and it will ban your IPs if you fail too many times; you will just be slowing yourselves down. Don't make us have to disqualify your team.

We took inspiration for this year's contest from the DEFCON 'Badge Challenge' which requires critical thinking and problem solving. Just as with the Badge Challenge, there is no way to know how your other competitors are doing. This is different than previous years, in that there is no scoreboard. No more withholding points. No more PGP! The first team to the end, wins.

We will be tweeting hints, and an informal score card as the contest goes on.

If you are having trouble cracking the hashes... try harder.

Hint 1: sed -e 's%slash%/%gi'

See twitter for more hints!