Type your comment> @Prim1Tive said:
im stuck and i dont know if im in the right way.
i found a******.**p is creating a low priv user is part of the CTF itself?
That is a good place to start.
Iām stuck in w** user, i have the hash of m*** user, but no idea on how to crack it. Someone can give some tip plz.
Edit: stuck at privesc now
EditĀ²: Rooted. It was very funny machine who brings me some new knowledge. Thanks for everyone for the tips, specially @sharkmoos.
That was a super fun box, very much enjoyed it!
Iāll try and give a couple hints that differ from whats been hinted at
foothold: enumerate enumerate enumerate (ok, so thatās not really a new hint, but whatever)
user: donāt freak out if you see something weird, just treat it like you would anything else
root: How do you know where something lives?
So Iām on the a*******.**p page and I believe I need to become a āpostmanā here. Do I have the right idea? Because this does not seem to work. I may also be making a silly mistake.
EDIT: Turns out I was actually making a silly mistake.
Type your comment> @ExCommunicado said:
So Iām on the a*******.**p page and I believe I need to become a āpostmanā here. Do I have the right idea? Because this does not seem to work. I may also be making a silly mistake.
Make sure you are adding what type of content it is (and using the correct one)
#Rooted
Pm after youāve tried all 
Well rocking the hash doesnāt work and my method is fine because my own userās (known) hash cracks instantly so the format and everything is correct. Do i need to go digging in the Seclists to find that special wordlist that the creator had in mind?
Type your comment> @tang0 said:
Well rocking the hash doesnāt work and my method is fine because my own userās (known) hash cracks instantly so the format and everything is correct. Do i need to go digging in the Seclists to find that special wordlist that the creator had in mind?
Like most of the hash cracking on HTB, one list rules most of them.
@tang0 said:
Well rocking the hash doesnāt work and my method is fine because my own userās (known) hash cracks instantly so the format and everything is correct. Do i need to go digging in the Seclists to find that special wordlist that the creator had in mind?
rockyou works fine for me
Ok so rockyou didnāt work with john but it worked with hashcat. Did anyone else face the same issue? If yes, what might be the reason?
Rooted, funny. Its hard not to loose own path on the rocky roads:D
Rooted. Back to basics on this box.
root@previse# id
uid=0(root) gid=0(root) groups=0(root)
This is a good box, except for the thing with the hash. Time-wise, the hash was a bit too difficult for my liking. In the end, it took me 16 minutes - out of the estimated total 25 min for the entire rockyou.txt wordlist - using john inside of my VM.
I liked the final privesc step, as years ago I could see myself making the same exact mistake years ago when it came to that one particular command.
Type your comment> @NetIceGear said:
This is a good box, except for the thing with the hash. Time-wise, the hash was a bit too difficult for my liking. In the end, it took me 16 minutes - out of the estimated total 25 min for the entire
rockyou.txtwordlist - usingjohninside of my VM.
I think its something with your setup, or maybe john, it took me a few seconds with hashcat
This was fun! Really solid easy machine that keeps it simple without seeming like things were intentionally misconfigured. I think this is one of the more realistic-feeling machines on HackTheBox.
There are potentially some unicode issues depending on your environment, so google around a little to resolve them.
Spoiler Removed
@tang0 said:
Ok so rockyou didnāt work with john but it worked with hashcat. Did anyone else face the same issue? If yes, what might be the reason?
I had the opposite.
hashcat did not work but john did - when i gave john the correct format argument.
oddly hashcat did get my userās hash but not the one that i did not know already.
I think I know why though - my userās pwd was only a few charactersā¦
1 Like
With john you need to format it for md5 longā¦ (itāll even āwarnā you when you start without any formatā¦ after that itāll work with rockyou just as fine as hashcatā¦
And Iāll need to review my setup thenā¦ it took a ā ā ā ā 53 minutes to crack it!!! Several people saying that it just took a few minutes/seconds with themā¦ wtf?! =/
Sessionā¦: hashcat
Statusā¦: Cracked
Time.Startedā¦: Sun Aug 8 15:59:35 2021 (53 mins, 34 secs)
I also had a lot of issues cracking the password.
Iāve tried both with john and hashcat.
I had foothold in 5 min, and lost 2 hours trying to get lateral movement. After I tried cracking the hash with both john and hashcat I started looking ofr other lateral movement paths, until I got really stuck and asked for a sanity check, when someone confirmed to me that the hash was crackableā¦ so I ran hashcat againā¦ and againā¦ and only on the 3rd or 4th time it cracked. I dont know why, but apparently a lot of people is having trouble cracking this hash.
After that it took me 4 minutes to rootā¦
Could have gotten first blood or at least top 25, butā¦ oh wellā¦ So if you find the hash, dont give up on first Exhausted
Rooted! If you canāt crack the hash try using --format with john, that worked for me.
1 Like