HTB Titanic - Crack pbkdf2

#!/usr/bin/env python3

import hashlib
import binascii
import sys
import time
import select

def derive_pbkdf2(password: bytes, salt: bytes, rounds: int, length: int) -> bytes:
    return hashlib.pbkdf2_hmac(
        hash_name='sha256',
        password=password,
        salt=salt,
        iterations=rounds,
        dklen=length
    )

# All "pbkdf2$50000$50" users
hashes = [

# Enter in username, passwd_hex, and salt_hex
    {
        "username": "admin",
        "passwd_hex": "86a6137c28fda328c8e6abbcb53e4ac534dc9c010bb40468ce4b8f4bf882c0c1c1d2396d45e7ee16bc592260e74c8bbdd6f2",
        "salt_hex":   "5d3f4c5b71ae98ebdc2520449f6c56f8",
        "iterations": 50000,
        "dklen": 50
    },
    {
        "username": "user1",
        "passwd_hex": "7f2acfe2bdc0afe9cbb54aac932230de2a1032e8bfcd5706308cabd41f75151b51278207c2c6141321655612c1c54ad24fac",
        "salt_hex":   "e9facc6971e7440b5e04f10765e833d1",
        "iterations": 50000,
        "dklen": 50
    }

# Add others as needed...
]

# Convert from hex to bytes
for h in hashes:
    h["passwd_bytes"] = binascii.unhexlify(h["passwd_hex"])
    h["salt_bytes"]   = binascii.unhexlify(h["salt_hex"])
    h["cracked"]      = False

wordlist = "/usr/share/wordlists/rockyou.txt"
time_limit_seconds = 600  # 10 minutes per user

print(f"[+] Will spend up to {time_limit_seconds}s (={time_limit_seconds/60:.1f} min) per hash.")
print("[+] Press 's' + Enter at any time to skip the current hash.\n")

def crack_one_hash(user_hash, wordlist_path, time_limit):
    """
    Attempt to crack a single user's PBKDF2-HMAC-SHA256 within 'time_limit' seconds.
    Returns the plaintext password or None if not found / skipped / timed out.
    """
    user   = user_hash["username"]
    target = user_hash["passwd_bytes"]
    start_time = time.time()

    print(f"[*] Cracking {user} for up to {time_limit} seconds... (Press 's' + Enter to skip)")

    try:
        with open(wordlist_path, "r", encoding="utf-8", errors="ignore") as f:
            for line in f:
                # 1) Check if user wants to skip
                if sys.stdin in select.select([sys.stdin], [], [], 0)[0]:
                    key_press = sys.stdin.read(1)
                    if key_press.lower() == 's':
                        print(f"[-] User pressed 's' to skip {user}. Moving on.\n")
                        return None

                # 2) Check time limit
                if (time.time() - start_time) > time_limit:
                    print(f"[-] Time limit reached for {user}. Moving on.\n")
                    return None

                pwd_str = line.strip()
                if not pwd_str:
                    continue

                pwd_bytes = pwd_str.encode('utf-8')
                derived = derive_pbkdf2(
                    password=pwd_bytes,
                    salt=user_hash["salt_bytes"],
                    rounds=user_hash["iterations"],
                    length=user_hash["dklen"]
                )
                if derived == target:
                    print(f"[!] SUCCESS: {user}'s password is '{pwd_str}'\n")
                    return pwd_str

    except FileNotFoundError:
        print(f"[!] Wordlist not found: {wordlist_path}")
        return None

    # If finished dictionary with no match
    print(f"[!] Dictionary exhausted for {user}, no match.\n")
    return None

# ------------------------------------------------
# Main Loop: process each user sequentially
# ------------------------------------------------
for user_hash in hashes:
    if user_hash["cracked"]:
        continue

    found_pass = crack_one_hash(user_hash, wordlist, time_limit_seconds)
    if found_pass:
        user_hash["cracked"] = True

print("[+] Done. Any user not shown as cracked wasn't found within time or dictionary.")