Prompt
We have obtained /etc/shadow from a Kali Linux machine. Help us obtain the password, we think this might be a using a password from the Rockyou wordlist.
Walk-Through
This challenge involves understanding the parts of a Kali Linux password that uses the yescrypt password hashing function. This challenge also requires that players crack the password. At the time of writing, yescrypt is not a hashing function supported by either john or hashcat.
If you are running john on a system that uses yescrypt natively (such as Kali Linux), it is still possible to crack yescrypt by using the --format=crypt option, which will have john use the local Unix hash crypt function when running the attack.
Guide
To better understand the parts of the hash, lets break down an example of a second shadow entry field (the field after the colon ( : ) ) that would be given for a user with a password in an /etc/shadow file.
Example Hash:
$y$j9T$sZPOHCdOIBvfkKhVJRSp7.$oCNH1mJKQWFWM9HNjkjz3nFWuGPHF2RRG7j7eChfGw9$y$ - Identifies this hash as yescrypt
j9T - Encoded cost parameters
sZPOHCdOIBvfkKhVJRSp7. - Salt (22 characters)
oCNH1mJKQWFWM9HNjkjz3nFWuGPHF2RRG7j7eChfGw9 - Hash (43 characters)
The forward slash ( / ) and the period ( .) are the only symbols included with typical upper and lowercase letters in yescrypt’s alphabet.
The $ symbol is used as a delimiter within the hash.
The colon ( : ) is used to separate different sections of the shadow entry.
Solution
To find the username of the account with a password, look for the username of the only entry whose second field is not blank. In other words, it would be the only entry that includes a hash that looks similar in length to the example shown.
To find the date that the user’s password last changed you’ll need to find a data component associated with the password. The third field represents the date of the last password change (measured in days since Jan 1, 1970). There are online tools (e.g. Epoch Converter) that can help with converting this value into a date. The specific time is not required.
Follow the format structure of crypt to determine which section of the encrypted password is the salt. The salt is bounded by a $ on each side and comes after param and before hash. The hash digest comes after the salt.
To solve for the plaintext of the password, take the ENTIRE hash (including the username— <username>:$y$j9T$<salt>$<hash>) and enter it into a file titled passwords.txt
Run the following command:
john --format=crypt passwords.txtyescrypt natively for its passwordsjohn runs much faster if you don’t specify a wordlist.
Adding --wordlist=/usr/share/wordlists/rockyou.txt will still work, but will take much longer.
Useful resources for this challenge:
Questions
1. What is the username of the only user account with a password?
2. On what date was the user's password last changed?
3. What is the salt used to secure the user's password?
4. What is the hash digest of the user's password?
5. What is the plaintext password of the user's password?
©️ 2026 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.