Hi,
Great.

You can obtain a common English words list e.g. from one of these URLs:

https://www.ef.edu/english-resources/english-vocabulary/top-100-words/
https://www.ef.edu/english-resources/english-vocabulary/top-1000-words/
https://www.ef.edu/english-resources/english-vocabulary/top-3000-words/
https://github.com/first20hours/google-10000-english/blob/master/google-10000-english.txt

You'll need to copy-paste just the list of words to a text file, or in
the case of the GitHub URL you can click on "Raw".

You can also use lower.gz from:

http://download.openwall.net/pub/wordlists/languages/English/1-tiny/

If so, "gzip -d" it first. But it's probably unnecessarily long, and
isn't as focused on the top words as the above lists are.

Then you can use a combination of PRINCE and mask modes like this:

./john --prince=top-1000-words.txt --prince-elem-cnt-min=2 --prince-elem-cnt-max=2 --mask='ABC12?w' --min-length=10 --max-length=20 hashfile

This may produce a handful of duplicates, which you can filter out if
you like (makes sense if each guess takes a long time to test):

./john --prince=top-1000-words.txt --prince-elem-cnt-min=2 --prince-elem-cnt-max=2 --mask='ABC12?w' --min-length=10 --max-length=20 --stdout | ./unique to-test.txt
./john -w=to-test.txt hashfile

where "unique" is a symlink or program located in JtR's run directory.

Alternatively, the old-fashioned way to do it (prior to us getting
PRINCE, kindly contributed by atom of Hashcat) was to use Perl scripts
such as those I attached here, e.g.:

./double.pl top-1000-words.txt > top1000x2.txt

Similarly to the above, you can optionally filter out the few duplicates
that might appear in the combined list with:

rm top1000x2.txt
./double.pl top-1000-words.txt | ./unique top1000x2.txt

Then use JtR e.g. like this:

./john -w=top1000x2.txt --mask='ABC12?w' hashfile

With the mix.pl script, you can use two different input lists e.g. if
you know that one of the words is more common than the other.

The scripts also let you specify a word separator easily (e.g., there's
a commented-out line for separating the two words with a space).
This mask is wrong, and even if you corrected it e.g. to:

./john --mask='ABC12?l' --min-length=10 --max-length=20 hashfile

it'd take far too long to complete unless your password's length happens
to be close to the minimum. Feel free to give this a try while you're
preparing the wordlist, though - you might get lucky.

There's no need to run a session per length - the mask automatically
expands to higher lengths as specified by the options.

Just to provide yet another option (more efficient than mask mode alone,
but less efficient than a focused wordlist), you can combine incremental
and mask modes:

./john --incremental=lower --mask='ABC12?w' --min-length=10 --max-length=20 hashfile

Unlike mask mode alone, this will consider character triplet
frequencies, but unlike the wordlist it won't focus on whole words.

If you're unsure the minimum length is 10, just omit "--min-length=10"
in all of these commands. This is probably a good idea since testing of
shorter passwords is relatively quick anyway.

I hope this helps.

Alexander