PASSWORD ATTACK | ACADEMY - Credential Hunting in Linux

Hi everyone, I have been stuck now for a few hours in the “password attacks” academy in the “Credential Hunting in Linux” section. The question asks “Examine the target and find out the password of user Will. Then, submit the password as a response.”
In the hints it says: "
Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user “Kira”, who in most cases had SSH access to other systems with the password “LoveYou1”. We have already provided a prepared list of passwords in the “Resources” section for simplicity’s purpose."
I have tried connecting in ssh with Kira and LoveYou1 credentials but it doesn’t work, I also tried on SMB but nothing.
If I use the user and psw provided to me in the resources and try to bruteforce both ssh and smb it returns nothing. Or rather it finds me multiple passwords corresponding to 2 users that don’t work anyway (with msfconsole)…I don’t know what to do

1 Like

Did you get the flag?

I was able to get the flag by running the custom rule against Kira’s password and then SSH’ing into the box. After that, I looked at Kira’s bash history and saw evidence of a tool from the module being used.
The tool was deleted according to the bash history, so I downloaded that tool to my Kali machine, started a Python file server, copied the file to the target, and then I unzipped and ran the tool.

It provided the flag.


p.s. You will not be able to brute force Will’s password.


Hello! Im looking at the bash history... In the module they just run a command and it gives you a password... Im sure it`s not that easy…

Hello, how do you copied the files between the 2 linux servers… When I try to copy from the ssh session it can`t find it…

I have tranfered many files but cant find the password... the file .bash_history is the only one Im not being allowed to transfer or open :frowning: :frowning: any hints!

1 Like

Good morning John!
Yes! I have a google account but I dont want to know how to do it haha I just want a little hint hahaha so far I have transfered many files but I guess the important one is the .bash_history... and I dont have permissions over this file!

1 Like

Thanks man!! I just finished the Passwd, Shadow & Opasswd section :slight_smile: :slight_smile: :slight_smile:

1 Like

Hi to everybody,

i have finished this question. I tried to

mutate the password and after this i have found the login password.

Then, on the target machine, i have used one tool explain in the section…
Thank you to all

Hello there! I can`t find the user/password for the initial ssh access… my pawnbox dies before hydra can finish :frowning: :frowning: Is there another way to start this lab???

Could somebody explain me why I can’t use


I have to use


Why is that?

In the first command is there a question mark… is a mistake?

In the hint box, they tell you that your colleagues have found the user Kira and he use in most case the password LoveYou1. Maybe you have to ssh with these credentials… and if that doesn’t works, maybe you have to mutate di password with the custom.rule in the section… then follow the lesson :slight_smile:

1 Like

I have tried applying a custom rule to my Kira password to check Kira’s SSH password.
However, hydra does not find anything.
What is wrong?

$ vim pass.list  # write Kira's password
$ hashcat --force pass.list -r custom.rule --stdout | sort -u > mut_pass.list
$ hydra -l Kira -P mut_pass.list ssh:// -t 64         
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2023-01-22 05:21:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 459 login tries (l:1/p:459), ~8 tries per task
[DATA] attacking ssh://
[STATUS] 333.00 tries/min, 333 tries in 00:01h, 157 to do in 00:01h, 33 active
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2023-01-22 05:23:09

Try the user in lowercase. It is the only difference that I see against what I did, and I got it.


It worked correctly

1 Like

this section lit a fire in me :stuck_out_tongue_closed_eyes: :face_with_hand_over_mouth: thank you everyone for your help!

It’s because there’s multiple versions of Python on the system and if you just run Python3, it uses version 3.8 which is not compatible with that script.

Hello, how do you copied the files between the 2 linux servers… When I try to copy from the ssh session it can`t find it…

not sure what to do, found kira’s pw, logged in, saw the bash history but cant find the password for will, any help would be grateful.

How about without a Hint? How would I handle this without the hint?


I too ran custom rule on Kira’s password but I didn’t get any valid password. Am I missing something?

1 Like