I have been trying the bruteforce task for the sam users password. I’ve followed the instructions using the password.list file and the custom.rule included and the best64.rule which is part of hashcat. I have cut the password files down to 1k each and modified them so they only contain passwords 8-10 characters long but nothing seems to work.
It was also suggested to use ftp as its quicker than ssh for the bf but that has not returned any positive result either.
Is anyone able to please give me some guidance how to solve this?
I had to use the pwnbox instead of the vpn from my kali box.
The command was straightforward and it took about 20 minutes with the mutated file but a massive waste of time spent trying it from my own box. No idea why we have to use the pwnbox but it seems to be a recurring problem on the academy that using the vpn can be really ropy.
Excuse me, I use this code with the files given in the module (crackmapexec winrm 10.129.202.136 -u username.list -p password.list)
But I can’t find the username and password, is there something I’m doing wrong?
Hi, I’ve been stuck on this question for several hours. I downloaded the Notes.zip file over and over again, checked that the hashes were correct but nothing. I also did as you said, copied your hash but it doesn’t work. Hashcat gives me this result:
I used the mutation list generated from the password.list file given by the module resources.
What am I doing wrong? It seems unnecessarily difficult to me. Thank you!
Hi, I don’t remember what was going on in this module already. However I checked your found Password with my Notes.zip file and it actually works (I can freely extract notes.txt and read the flag).
Update: retook “Protected Archives”, downloaded fresh Notes.zip and password also works.
Customized wordlists work wonders for service cracking. Tailor them to your target’s interests. Also, automate your setup to escape that pwnbox and target loop.
after mutating the list remove the duplicates and sort it in ascending order it goes to 36k passwords.later increase the thread count of hydra. you will get the password for ftp
I’ve been on hiatus from hack the box Academy. But I’m gonna get back on soon to look at your question. Because it took me a few days to figure it out. It didn’t take the four or five hours that they said it would take.
In Attacking LSASS part, when I try pypykatz after moving the dump file, I got error
ERROR:pypykatz:Error while parsing file /home/htb-ac-1105225/lsass.DMP
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/pypykatz/pypykatz.py", line 261, in get_lsa
lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)
File "/usr/local/lib/python3.9/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose
return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)
File "/usr/local/lib/python3.9/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in __init__
self.acquire_crypto_material()
File "/usr/local/lib/python3.9/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material
sigpos = self.find_signature()
File "/usr/local/lib/python3.9/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 47, in find_signature
raise Exception('LSA signature not found!')
Exception: LSA signature not found!