HTB Academy - Cracking Passwords with Hashcat

HTB Content Academy
1

Hello all,
Hopefully this is an easy one for someone to assist me with. I am on the “Cracking Miscellaneous Files & Hashes” section of the Cracking Passwords with Hashcat module and am tasked with cracking the password for the password protected 7z file. The hint says to use 7z2john from /opt. I have tried to figure out the syntax for that tool, but there is nothing online, nor any help info for that file. Can someone provide me a hint on the syntax to extract the hash of a 7z file using 7z2john?

Thank you.

2

First I create a test file:

└──╼ $ head -c 2000 /dev/random > secret.db

└──╼ $ 7z a -prockyou zipfile.7z secret.db

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs AMD Ryzen 5 5600G with Radeon Graphics          (A50F00),ASM,AES-NI)

Scanning the drive:
1 file, 2000 bytes (2 KiB)

Creating archive: zipfile.7z

Items to compress: 1
    
Files read from disk: 1
Archive size: 2154 bytes (3 KiB)
Everything is Ok

The test file is small to not reach the 8K limit of the hashcat program hash 8K limit

The password is chosen from the rockyou word list to find it in this list.

Hashcat needs a parameter with the hash mode.
The mode for the 7-Zip file is in the hashcat documentation
hascat modes

The mode listed for 7-Zip is: 11600

It is useful to compare the hash with an example to find bugs.
Examples of the hash are on web page: example hashes

Use the 7z2john tool to extract the hash.

└──╼ $ /usr/share/john/7z2john.pl zipfile.7z > zipfile.johnhash

The output format does not match the example.
The filename is added.

└──╼ $ head -c 50 zipfile.johnhash
zipfile.7z:$7z$2$19$0$$8$fd51eb22adc1e803000000000

Strip the first field with the file name.

└──╼ $ cut -d: -f2 zipfile.johnhash > zipfile.hash

Now the hash is prepared and can be cracked with hashcat.

└──╼ $ hashcat -m 11600 zipfile.hash /usr/share/wordlist/rockyou.txt
3

Thank you so much for the detailed response. Your instructions were spot on, however I did have to do a couple of extra things for them to work:

  1. At the step where you use 7z2john to extract the hash and output to zipfile.johnhash
    ++ I received an error “Can’t locate Compress/Raw/Lzma.pm in @INC…”
    ++I had to run the command “sudo cpan IO::Compress::Lzma” and approve the prompt to auto configure
  2. Because I am using the Pwnbox from the HTB Academy I used the Pwnbox path to rockyou.txt
    ++ /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
    ++I also had to run the hashcat command for cracking the hash with sudo because Pwnbox likes to clamp down on permissions.

Again, thank you so much.

4

For those struggling with the Cracking Common Hashes section question * Crack the following hash: 7106812752615cdfe427e01b98cd4083*

The hint says to use hashid to identify the hash. That’s misleading because it says it’s an MD5 hash first, and other resources also identify it as an MD5 hash. It’s actually NTLM.

1 Like
5

Thank you for this. I got an error when installing Compress::Raw::Lzma on the PwnBox. These are the additional steps I followed to get it to work.

Run sudo apt update

Run sudo apt install cpanminus

Run sudo cpanm Compress::Raw::Lzma ← This is where I get an error.

Navigate to `/root/.cpan/… where the perl module is

Run perl Makefile.PL

Run make

Run sudo make install

You might get a message that the lzma.h header file is missing. If so then:

Run sudo apt-get install liblzma-dev

Then finally

make
sudo make install

Then I followed the steps above and it worked.

I had also installed 7z2john.pl from source for good measure.

6

I tried “hashcat -a 7 -m 1000
7106812752615cdfe427e01b98cd4083 ?d?s /usr/share/wordlists/rockyou.txt” and it’s still not working.

8

Hi. Don’t know if you’re still stuck on this, but try other rules. The hint of the exercise talks about Hashcat built-in rule sets. Try a few of them. Worked for me.

9

I had to clone the repo and install from there to get things working

sudo apt install liblzma-dev
git clone https://github.com/pmqs/Compress-Raw-Lzma.git
cd Compress-Raw-Lzma/
make
sudo make install
11

hi, xtal.

I have a problem with this section. i made step by step your checklist but when i used "
hashcat -m 11600 zipfile.hash /usr/share/wordlist/rockyou.txt". my kali linux pc show me the following error:

Hashfile ‘zipfile.johnhash’ on line 1 (hashca…c3063744d081db1492ea1cdef7a9b983): Signature unmatched
No hashes loaded.

Started: Tue Jan 7 08:28:44 2025
Stopped: Tue Jan 7 08:28:44 2025

please, can you help me?

12

Hi Reyjem,

The data format in the file zipfile.johnhash is not accepted by the hashcat program.
You need to use the zipfile.hash file as input to the hashcat program.

You previously created the zipfile.hash file by cutting the filename part out of the zipfile.johnhash file.

The command in your post is correct. However, the hashcat error message in your post indicates that you used the wrong file name in your terminal.

Kind regards
xtal

14

hi, xtal

i used the following sentence:
1.- 7z2john hashcat.7z > text.hash
2.- I checked the hash → cat text.hash
3.- hashcat -m 11600 text.hash /usr/share/wordlists/rockyou.txt

results:
"
Hashfile ‘text.hash’ on line 1 (hashca…c3063744d081db1492ea1cdef7a9b983): Signature unmatched
No hashes loaded.
"
the same error

15

The output of the tool 7z2john is prepared for the password cracker John the Ripper. The format is not correct for the hashcat. The output starts with the filename. This part disturbs hashcat. You need to remove the part before the colon :. For example, cut only the second part of the file.

cut -d: -f2 text.hash > text_hashcat_format.hash

Now the hash in the file text_hashcat_format.hash has the correct format for hashcat.

16

thanks xtal, I checked the file and at the beginning it had “:”, so I deleted it and continued with the process successfully.