Pokemon

Prompt

Our analysts have obtained password dumps storing hacker passwords. After obtaining a few plaintext passwords, it appears that they are based on Pokémon.

Walk-Through

The questions can be solved using hashcat with a wordlist of Pokémon. The walkthrough for this challenge will explain how to create a wordlist.

Refer to the walkthrough for the Rockyou challenge for more introductory information and resources on cracking passwords.

Guide

First, add all of the hashes for this challenge to a text document and save it as hash.txt. Next, use command-line or online tools to identify the type of the given hashes.

The most important part of this challenge is creating a wordlist. There are over a thousand Pokémon, so it’s not feasible for us to type them out and list them individually. The first step to creating a wordlist of Pokémon is to find a comprehensive list of Pokémon. There are a variety of web sources, look for pages that contain all of the Pokémon on one page. You may even be able to find text files or repositories that have a formatted list.

If you can’t find a text file with just the names, you can use the developer tools on the webpage to be able to determine where exactly you want to get the information from. This will be helpful to craft a command that ONLY collects the words you want for the wordlist.

Shown is part of the developer tools Element tab for the website: https://bulbapedia.bulbagarden.net/wiki/List_of_Pokémon_by_National_Pokédex_number. Each Pokémon is displayed as a clickable link, and the text of that link is the Pokémon’s name. The red arrow indicates the information that we want to use from the website to create out wordlist.

To create a wordlist from a website you can use curl. curl is a general-purpose tool for making HTTP requests. For this challenge, we’ll use curl to fetch the webpage where the list of Pokémon is at, and then we’ll use grep and sed to extract the exact data we want.

curl -s -A "Mozilla/5.0" \
  https://bulbapedia.bulbagarden.net/wiki/List_of_Pokémon_by_National_Pokédex_number \
  | grep 'href="/wiki/.*(Pok' \
  | sed 's/.*">//; s/<\/a.*//;' \
  | sort -u \
  > pokemon.txt

Here is a breakdown of the command:

curl -s -A "Mozilla/5.0" : Requests the raw HTML webpage specified in silent mode (without progress bars), and pretends to be a normal browser so content is not blocked by the website

grep 'href="/wiki/.*(Pok' : Each Pokémon is on a line that starts with this, grep finds each line

sed 's/.*">//; s/<\/a.*//;' : sed removes everything from the line except the visible link text

sort -u : removes duplicates

Output is sent to a file named pokemon.txt

Additional formatting can be applied to the wordlist, or hashcat rules can be used to transform entries of the wordlist to upper/lower case.

Solution

Use this command to crack the hashes:

hashcat hash.txt -m 0 -a 0 pokemon.txt

hash.txt : the file location + file name that has the hashes hashcat will try to crack

-m 0 : uses hash-mode 0 — indicates the hashes are MD5 hashes

-a 0 : use a dictionary attack (this requires a wordlist to be specified)

pokemon.txt : the file location +name of the wordlist

⚠️
MD5 hashing is case-sensitive since it operates on raw bytes. You may need to adjust the casing of your wordlist or use additional hashcat rules to brute force the casing.

There are a couple ways to modify the wordlist. One is while using the hashcat command. This command will convert all capital letters in the pokemon.txt file to lowercase:

tr 'A-Z' 'a-z' < pokemon.txt | hashcat hash.txt -m 0 -a 0

Partial output of
Partial output of hashcat command. Cracked passwords have been redacted.

Questions

a532443f3e04a9e00295a8cd2a75e080

54c10b9736b70e75c6e505f340b6e2f1

b8a24794813a47521b4be55747e0665a

83b020b0a7b3c353e1c11b1647b53cda

999cae1e22fe69d89d6f56e3050f18cb

©️ 2026 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.