Password Shucking challange

[drnow4u]

Password Shucking challenge is based on Pre-Hashing Passwords from OWASP Password Storage Cheat Sheet. During migration from weak MD5 password hashing algorithm to strong Bcrypt wrapping approach bcrypt(md5(data:$password)) is implemented. Great description is presented What the Shuck? Layered Hash Shucking be Sam Croley.

@commjoen could you describe more details from Slack?

[commjoen]

Nice reference to further explain shucking is at https://neilmadden.blog/2023/04/27/i-still-dont-really-get-hash-shucking/ .
How can we implement this? The challenge should reference 2 database dumps:

1. with md5 passwords for let's say 20 users
2. with bcrypt(md5(passwords)) for which 1 user reused his password in both db dumps
   Maybe we can put the "table-dumps" in a file, for which the challenge reads the value of "user 5" who is in both tables so we can explain how you can find the old md5 this way (e.g. collission) and then find the actual value of the md5 hashed password.

[commjoen]

Todo;s for this challenge:

• Create a textfile with an imaginary of 20 users with <username, password> where the password is md5 hashed. Add the file to the executables folder in this project.
• Create another textfile with an imaginary dump of 20 users <username, password> where the password is now bcrypt(md5(passwords)) encrypted. make sure that user 5 is the same in both lists
• Create the challenge where people need to find the password of user 5 (follow contributing.md) which does explain the issues above.

[divyanshuagarwal-23]

@commjoen Again Divyanshu here, please assign it to me

[commjoen]

@divyanshuagarwal-23 can you maybe first complete #810 :-)?

[adarsh-a-tw]

@commjoen Would like to work on this if it is not yet assigned.

[commjoen]

It is all yours sir!