Crack Me If You Can Contest

Back to Top

Submitting results

Once you have cracked some passwords or encrypted files, submit them to us in a PGP signed & encrypted email.

Password hashes

Every time you submit cracked passwords, send us all the plaintexts you have cracked so far, each on one line by itself. Don't include anything else on the lines, such as 'username:plaintext' or 'hash:plaintext'; submit just 'plaintext'. Remember to include every crack, not just whatever new cracks you got since last submission. We will verify them, and update the stats page. If you send us junk that's not correct plaintexts, we will assume you are spewing /dev/random at us and shun all future mail from you.

Encode in UTF-8

This year's twist is... not all plainttexts are pure ASCII. Non-ASCII-printable characters are all encoded in UTF-8, and you must submit any non-ASCII-printable plaintexts encoded as UTF-8. If you notice you are not getting enough points, you are most likely not making sure that you are submitting cracks in UTF-8 format.

If your cracking tools cannot be told "output in UTF-8", then there are various scripts/programs that might be helpful:

The 'iconv' tool on Linux/UNIX: GNU Documentation
The 'fix_latin' perl script and 'Encoding::FixLatin' module: CPAN link

(Actually, our submission handler attempts to fix up non-encoded "latin1" non-printable-ascii by converting to UTF8 on the fly - but that can be an ambiguous and lossy process, so you should not depend on that, you should figure out how to convert properly before uploading.)

But not broken UTF-8

We have seen that some teams' submissions include control characters: ^C, tab, bell, etc, in either ASCII or their UTF-8 equivalents.

There are ZERO control characters in our plaintexts. So if your encoded plaintexts include them, most likely your conversion process is doing something wrong - and it might be silently mangling others of your plaintexts, too.

If you think your cracks are being under-counted by the scoreboards, check to see if you have:

any bad ASCII control characters (anything in \x00-\x1f other than \x0a (\n) and \x0d (\r))
any UTF8 control characters (two-byte sequences in the range \xc2\x80 - \xc2\x9f)

You can search for these bad values in your output using, for example:

grep -P "[\x0-\x09\x0b\x0c\x0e\x0f\x7f]"
grep -P "\xC2[\x80-\x9F]"

If you get any hits, something is wrong, and your submissions probably will not get as many cracks as you think.

Submit often

Try not to go too long between submitting updates. One every two hours or so is preferred. We want the stats pages to accurately reflect the progress of the different teams. Besides, a big jump in cracks/points after a long silence could mean that a team has stolen cracks from another team. Of course if you sleep a few hours and miss a couple checkins we will forgive you. But if you go more than 12 hours without an update, we will assume you gave up or died of alchohol poisoning.

But not too often

Do not flood us with submissions. We will assume you are trying to DoS us. We will ignore submissions from a team sent faster than once per five minutes. Sending us more than one per minute may disqualify your team.

Submission feedback

There isn't any. Whether your submission succeeds or fails, you will not get any response from the submission handler. Within 5-10 minutes, the stats page should update to reflect your new totals (unless something caused your submission to be rejected by the handler). We will try to contact teams whose submissions we see fail, but no guarantees if or when we will have time to do so.

Example submission

Here is what a submission process might look like.

$ cat cracked
plaintext1
plaintext2
plaintext3

$ gpg -a -o submission-email.pgp.asc -r sub-2015@contest.korelogic.com \
                                                             -se cracked
$ mail -s "cracked" sub-2015@contest.korelogic.com \
					< submission-email.pgp.asc

Or attach the file keysub-email.pgp.asc to an empty email to sub-2015@contest.korelogic.com, such as if you are using Gmail.

Don't forget to use --default-key 0xDEADBEEF if you created a dedicated PGP key just for this event.