does anyone tried to decrypt hashed password from CVE-2024-57727

[bg1]

Hi as title does anyone tried to decrypt the password retrieved from serverconfig from CVE-2024-57727

 

[Guest]

The hashPasswordWithSalt is an interesting method that accepts a salt, but doesn’t actually use it when hashing the password. It converts the password to UnicodeBig (or UTF-16BE) and then adds the password to the digest twice (instead of adding the salt once and the password once) before taking the Base64 encoded SHA-1 digest and prepending the unused salt to it.

source

 

[bg1]

The hashPasswordWithSalt is an interesting method that accepts a salt, but doesn’t actually use it when hashing the password. It converts the password to UnicodeBig (or UTF-16BE) and then adds the password to the digest twice (instead of adding the salt once and the password once) before taking the Base64 encoded SHA-1 digest and prepending the unused salt to it.

source

thanks still need to be bruted to get the clear password

 

[Guest]

thanks still need to be bruted to get the clear password

If you read the article I mentioned, which I'm assuming you didn't, there is a brute script that supports such a hash.

 

[bg1]

If you read the article I mentioned, which I'm assuming you didn't, there is a brute script that supports such a hash.

wrong , i create account and readed the thread , but i think you miss understand me , i said still need to be bruted to get the clear password , i was locking for decryption because i readed also the master key is hardcoded thats it