A recovered password database contains the password hash

27ce84a6075b583086d9fc0c856f1da5d9a853507faffd7d70833c1b7accb156

Fortunately the administrator was nice enough not to use salt and the password corresponding to this password hash is contained in a rainbow table, specifically in this hash chain

bambino : hunter42

Where bambino and hunter42 correspond to the beginning and end of the hash chain respectively, and the hash chain length is 200. The hash function used was

function : password_hash(pw):
    val = ""
    repeat 50,000 times:
        val = sha256hash(val | pw) //where | denotes concatenation
    return hex(val)

This rainbow table was generated from the rockyou password list. The reverse function is this algorithm:

function : reverse(password_hash, column_number):
    num_val = int(password_hash)
    line_number = (num_val + column_number) modulo line_count('rockyou.txt')
    password = get_line_from_file('rockyou.txt', line_number)
    return password

Where column number corresponds to the (zero based) index of the reverse function in the chain, and get_line_from_file outputs the password on the (zero based) line of the file. So get_line_from_file('rockyou.txt', 14344108) -> ' \x93R3CKL3$$\x94'.

Recover the password corresponding to the recovered hash.

Test Vector

Generating a hash chain starting from loveu2.

pw = 'loveu2'
pw_hash = c664f66b0f9cf5a777280bc0019a98d7e3b96aa894ec83d5c2d9aa14170fdda6
reverse(hash_val, column=0) = zine73

pw = 'zine73'
pw_hash = c7ce2a8c0ab1ac71ef9adeb6310aca5a655e5082bf95770dcb71417a35d2ed8f
reverse(hash_val, column=1) = blueraccoon

Solution