PASSWORD ATTACK | ACADEMY - Credential Hunting in Linux

MekkX · November 22, 2022, 4:33pm

Hi everyone, I have been stuck now for a few hours in the “password attacks” academy in the “Credential Hunting in Linux” section. The question asks “Examine the target and find out the password of user Will. Then, submit the password as a response.”
In the hints it says: "
Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user “Kira”, who in most cases had SSH access to other systems with the password “LoveYou1”. We have already provided a prepared list of passwords in the “Resources” section for simplicity’s purpose."
I have tried connecting in ssh with Kira and LoveYou1 credentials but it doesn’t work, I also tried on SMB but nothing.
If I use the user and psw provided to me in the resources and try to bruteforce both ssh and smb it returns nothing. Or rather it finds me multiple passwords corresponding to 2 users that don’t work anyway (with msfconsole)…I don’t know what to do

19delta4u · December 3, 2022, 3:57am

Did you get the flag?

I was able to get the flag by running the custom rule against Kira’s password and then SSH’ing into the box. After that, I looked at Kira’s bash history and saw evidence of a tool from the module being used.
The tool was deleted according to the bash history, so I downloaded that tool to my Kali machine, started a Python file server, copied the file to the target, and then I unzipped and ran the tool.

It provided the flag.

John

p.s. You will not be able to brute force Will’s password.

cmarrod · December 16, 2022, 5:24pm

Hello! Im looking at the bash history... In the module they just run a command and it gives you a password... Im sure it`s not that easy…

cmarrod · December 16, 2022, 6:02pm

Hello, how do you copied the files between the 2 linux servers… When I try to copy from the ssh session it can`t find it…

cmarrod · December 16, 2022, 6:58pm

I have tranfered many files but cant find the password... the file .bash_history is the only one Im not being allowed to transfer or open any hints!

cmarrod · December 17, 2022, 8:54am

Good morning John!
Yes! I have a google account pablomartinrod62@gmail.com but I dont want to know how to do it haha I just want a little hint hahaha so far I have transfered many files but I guess the important one is the .bash_history... and I dont have permissions over this file!

cmarrod · December 17, 2022, 6:36pm

Thanks man!! I just finished the Passwd, Shadow & Opasswd section

MekkX · December 19, 2022, 8:28am

Hi to everybody,

i have finished this question. I tried to

mutate the password and after this i have found the login password.

Then, on the target machine, i have used one tool explain in the section…
Thank you to all

cmarrod · December 22, 2022, 9:31am

Hello there! I can`t find the user/password for the initial ssh access… my pawnbox dies before hydra can finish Is there another way to start this lab???

Newuser · January 10, 2023, 7:41am

Could somebody explain me why I can’t use

python3 firefox_decrypt.py?

I have to use

python3.9 firefox_decrypt.py

Why is that?

MekkX · January 10, 2023, 2:11pm

In the first command is there a question mark… is a mistake?

MekkX · January 10, 2023, 2:17pm

In the hint box, they tell you that your colleagues have found the user Kira and he use in most case the password LoveYou1. Maybe you have to ssh with these credentials… and if that doesn’t works, maybe you have to mutate di password with the custom.rule in the section… then follow the lesson

famasoon · January 22, 2023, 10:23am

Hello.
I have tried applying a custom rule to my Kira password to check Kira’s SSH password.
However, hydra does not find anything.
What is wrong?

$ vim pass.list  # write Kira's password
$ hashcat --force pass.list -r custom.rule --stdout | sort -u > mut_pass.list
$ hydra -l Kira -P mut_pass.list ssh://10.129.164.11 -t 64         
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-22 05:21:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 459 login tries (l:1/p:459), ~8 tries per task
[DATA] attacking ssh://10.129.164.11:22/
[STATUS] 333.00 tries/min, 333 tries in 00:01h, 157 to do in 00:01h, 33 active
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-22 05:23:09

pp123 · January 28, 2023, 5:07pm

Try the user in lowercase. It is the only difference that I see against what I did, and I got it.

famasoon · January 31, 2023, 10:30am

Thanks!
It worked correctly

gizmoe380 · February 18, 2023, 3:04pm

this section lit a fire in me thank you everyone for your help!

hypercoyote · April 2, 2023, 4:03am

It’s because there’s multiple versions of Python on the system and if you just run Python3, it uses version 3.8 which is not compatible with that script.

htbstudent898989 · April 26, 2023, 6:48am

Hello, how do you copied the files between the 2 linux servers… When I try to copy from the ssh session it can`t find it…

not sure what to do, found kira’s pw, logged in, saw the bash history but cant find the password for will, any help would be grateful.

Kastr0 · May 7, 2023, 4:45pm

How about without a Hint? How would I handle this without the hint?

kript0r3x · June 23, 2023, 12:01am

I too ran custom rule on Kira’s password but I didn’t get any valid password. Am I missing something?