Rating:

1. Carefully implement the hash function. Luckily, there's an example encoding to verify it works: `hash("RITSEC_CTF_2021") should be "3ba50807aa02"`.
2. Since this hash function transforms any string into 48bit hash, it's highly doubted that reverse engineering would give us any benifits. Instead, let's use wordlist to find a string that gives us the expected hash:
```
% cat hashcracker.py
import sys

def hash(s: bytes):
current = bytearray("RITSEC", "utf8")
for byte in s:
for r in range(13):
next = bytearray(6)
next[1] = current[0]
next[2] = (current[3] << 2) & 0xFF
next[3] = (current[1] >> 5) & 0xFF
next[4] = (current[0] + current[5]) & 0xFF
next[5] = current[3]

step1 = (current[2] ^ current[4]) & current[5]
step2 = (step1 + current[1]) & 0xFF
step3 = (step2 + next[2]) & 0xFF
next[0] = (byte + r + step3) & 0xFF

current = next
return bytes(current).hex()

if __name__ == '__main__':
assert hash(b"RITSEC_CTF_2021") == "3ba50807aa02"

with open(sys.argv[1], 'rb') as fin:
for line in fin:
if hash(line.strip()) == sys.argv[2]:
print('String with hash `{}` is `{}`'.format(sys.argv[2].strip(), line.strip().decode()))
break
else:
print('Not found. Try other wordlist.')

% python3 hashcracker.py rockyou.txt 435818055906
String with hash `435818055906` is `invaderzim`
```

NB: `rockyou.txt` is a file path to [rockyou.txt wordlist](https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt)

3. Success! The flag is `RS{invaderzim}`