Password Attacks | Academy

Hey, where you able to solve this?
Stuck here too!

need help here the 1 ticket has no credentials and other ticket has expired need help here

Close the pwnbox or VM. After some time open the log in the same process and try a valid ticket will pop up.
The same thing happen with me and above solve the problem, after it’s easy!

thanks, I spend all day and solve with your advice in 2 minutes

1 Like

hi, everyone, I am stuck with Protected files.
John give me No password hashes loaded (see FAQ) or Unknown ciphertext format name requested
when I try to run
john --wordlist=/Users/evrohachik/Desktop/rockyou.txt ssh.hash
any help?
UPDATE John or install another version to FIX

hi guys, I am stuck here with Protected archives
John answer me with
Enabling duplicate candidate password suppressor
0g 0:00:00:00 DONE (2023-09-15 16:51) 0g/s 2081Kp/s 2081Kc/s 2081KC/s loveyou192!oi…ovey
Session completed.
I used mutated list as well
nothing works
I tried 2 different version of John
and hatchet - m 17200-17300
could someone help me?

This part requires a mutated list. John’s command should be a standard one. If john doesn’t work for you try hashcat with -m 17225, however in that case you must modify source hash (which you received from zip2john) for hashcat, spoiler:


In case if hashcat didn’t work for you I might assume that there is something wrong with your mutated list.

Hope it will help anyway.

1 Like

hi, thanks for your answer. I will try again and will let you know

UPDATE solved, thanks again, I used wrong mutated list facepalm

1 Like

it was terrible module)

Hello, im stuck on this Password Reuse / Default Passwords, i did ssh with the credentials of sam, but when i search on the box, not able to find any credentials for mysql, do you have any other idea where we can take a look, i know that you are stuck on this step, but checking if you resolve it ?

You should submit password as the answer in previous sections

I’ve tried going through the lists like 3 times :sob:

Hi I need help with the question in the " Password Mutations" section: “Create a mutated wordlist using the files in the ZIP file under “Resources” in the top right corner of this section. Use this wordlist to brute force the password for the user “sam”.”. I have created a mutated password list with the custom rules and password list from the resources, with that mutated list I’m running hydra: “hydra -l sam -P mut_password.list ssh://target-ip”. It has been running for a couple hours now and I don’t think that’s normal right? Help would be appreciated!

For the LINUX01$, I think we are making it more difficult than it really is. So once you have root, go back to the top of the module, listing keytab file information. Run that command and it will reveal the ticket you need, hint it is in /etc. From there you use kinit, just follow the module down. Once you can use klist and it lists your default prinipal as LINUX01 youre good to go. When you use smbclient, do not use the $ sign just LINUX01. I hope this helps someone, took me several days to get this one lol

Also, when you use kinit, do not include @inlanefreight.htb, just LINUX01$

1 Like

I am at Protected Files section. I don’t remember cracking any user Kira. Can somebody tell me where that user is?

Hi. I’m stuck at the same question. Can you please give me a hint if you solved it? I cannot find user Kira either! Thanks in advantage!

Hi I am in the Protected Files section and logged in with ssh and username Kira to target. I found id_rsa key and downloaded to my pwnbox. Nevertheless, when I try “ id_rsa >crack”, it throws me this:
Traceback (most recent call last):
File “/usr/share/john/”, line 193, in
File “/usr/share/john/”, line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module ‘base64’ has no attribute ‘decodestring’

Can anyone help?? Thank you

!!! UPDATE !!!
I found out that ssh2john is deprecated for python version 3.9, so in order to run it correctly you should first run: " sed ‘s/decodestring/decodebytes/’ /usr/share/john/ | python3.9 - id_rsa " this command and paste the output to a file (e.g. SSH.private), where “id_rsa” is Kira’s private key. Then you can decrypt it with John.

Download the resource file (up in the page in the right). Then create a file .list with the password “LoveYou1” ONLY and with hashcat perform permutations with the .list file containing only the password and the custom.rule file (see the “password permutations” section). Then you can run hydra against the SSH service with user “kira” and the provided permuted password list.

Thanks a lot