HTB Academy - Cracking Passwords with Hashcat

HTB Content Academy
1

Hello all,
Hopefully this is an easy one for someone to assist me with. I am on the “Cracking Miscellaneous Files & Hashes” section of the Cracking Passwords with Hashcat module and am tasked with cracking the password for the password protected 7z file. The hint says to use 7z2john from /opt. I have tried to figure out the syntax for that tool, but there is nothing online, nor any help info for that file. Can someone provide me a hint on the syntax to extract the hash of a 7z file using 7z2john?

Thank you.

2

First I create a test file:

└──╼ $ head -c 2000 /dev/random > secret.db

└──╼ $ 7z a -prockyou zipfile.7z secret.db

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs AMD Ryzen 5 5600G with Radeon Graphics          (A50F00),ASM,AES-NI)

Scanning the drive:
1 file, 2000 bytes (2 KiB)

Creating archive: zipfile.7z

Items to compress: 1
    
Files read from disk: 1
Archive size: 2154 bytes (3 KiB)
Everything is Ok

The test file is small to not reach the 8K limit of the hashcat program hash 8K limit

The password is chosen from the rockyou word list to find it in this list.

Hashcat needs a parameter with the hash mode.
The mode for the 7-Zip file is in the hashcat documentation
hascat modes

The mode listed for 7-Zip is: 11600

It is useful to compare the hash with an example to find bugs.
Examples of the hash are on web page: example hashes

Use the 7z2john tool to extract the hash.

└──╼ $ /usr/share/john/7z2john.pl zipfile.7z > zipfile.johnhash

The output format does not match the example.
The filename is added.

└──╼ $ head -c 50 zipfile.johnhash
zipfile.7z:$7z$2$19$0$$8$fd51eb22adc1e803000000000

Strip the first field with the file name.

└──╼ $ cut -d: -f2 zipfile.johnhash > zipfile.hash

Now the hash is prepared and can be cracked with hashcat.

└──╼ $ hashcat -m 11600 zipfile.hash /usr/share/wordlist/rockyou.txt
3

Thank you so much for the detailed response. Your instructions were spot on, however I did have to do a couple of extra things for them to work:

  1. At the step where you use 7z2john to extract the hash and output to zipfile.johnhash
    ++ I received an error “Can’t locate Compress/Raw/Lzma.pm in @INC…”
    ++I had to run the command “sudo cpan IO::Compress::Lzma” and approve the prompt to auto configure
  2. Because I am using the Pwnbox from the HTB Academy I used the Pwnbox path to rockyou.txt
    ++ /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
    ++I also had to run the hashcat command for cracking the hash with sudo because Pwnbox likes to clamp down on permissions.

Again, thank you so much.

4

For those struggling with the Cracking Common Hashes section question * Crack the following hash: 7106812752615cdfe427e01b98cd4083*

The hint says to use hashid to identify the hash. That’s misleading because it says it’s an MD5 hash first, and other resources also identify it as an MD5 hash. It’s actually NTLM.

1 Like
5

Thank you for this. I got an error when installing Compress::Raw::Lzma on the PwnBox. These are the additional steps I followed to get it to work.

Run sudo apt update

Run sudo apt install cpanminus

Run sudo cpanm Compress::Raw::Lzma ← This is where I get an error.

Navigate to `/root/.cpan/… where the perl module is

Run perl Makefile.PL

Run make

Run sudo make install

You might get a message that the lzma.h header file is missing. If so then:

Run sudo apt-get install liblzma-dev

Then finally

make
sudo make install

Then I followed the steps above and it worked.

I had also installed 7z2john.pl from source for good measure.

6

I tried “hashcat -a 7 -m 1000
7106812752615cdfe427e01b98cd4083 ?d?s /usr/share/wordlists/rockyou.txt” and it’s still not working.

8

Hi. Don’t know if you’re still stuck on this, but try other rules. The hint of the exercise talks about Hashcat built-in rule sets. Try a few of them. Worked for me.

9

I had to clone the repo and install from there to get things working

sudo apt install liblzma-dev
git clone https://github.com/pmqs/Compress-Raw-Lzma.git
cd Compress-Raw-Lzma/
make
sudo make install