Password Attacks Lab - Medium

I got jason and dennis but I didn’t find nothings in the home of dennis, I checked all file but nothings can be reused…maybe I’m forgetting somethings?

Technically THERE IS something that you could exfil to your attack host and try to reuse with another user to escalate your privileges.

Even if you don’t think it would be likely to work, try to reuse everything that you could reuse in that folder. If you need more of a nudge, DM.

1 Like

Check the home folder of Dennis, what directory stands out to you? think SSH and how you can possibly use this.


1 Like

hi friend could yo share that with me please, thanks a lot!!!

hey frogman, i find in folder Dennis .ssh a id_rsa file. I use it like this:
ssh -i id_rsa root@IP

then it say “Enter passphrase for key ‘id_rsa’:” … what does this mean? i also generate a own key (see dennis bash history), but it doesn work too. If im on the right way, could you give me pls a hint?

hey luffy,

I am stuck at the same problem now, did u solve it already?

download the id_rsa key for Dennis, then you need to do ssh2john, turn that key into a hash then crack it with the mutated password list using hashcat. Then login into ssh using Dennis’s key under root user.


Great, thanks!

Hi guys, so I got the root user and I have some questions here because the whole priv esc process seemed a bit weird. So, once you get dennis, you have access to his private key but you cannot use sudo.


So the only thing I could do is download his private key and break it. Once you get the password, you can ssh to the machine as root and use that passphrase. So the whole idea here is that dennis set the same password for his ssh account as he did for root? Is that what they are teaching us with this machine?

Did you use mut_password to find the password for dennis?

Stuck on cracking the John the ripper as well as hashcat quits almost immediately on any computer I’ve tried (3 ARM based as that’s all I have).

I also tried the for loop and got an error. Will revisit that bash script in a bit.

Finally got it with the mutated p/w list.

In the lab description they say that the host is a jump host, what does that help me with the assessment ?

I cant event get the password for dennis ive tried everything via ssh
hydra crackmapexec msfsonsole using the custom.rule and password.list to
create mut_password list no password found
any hints

I was able to solve the lab, but was there something that identified the Dennis account as the key to getting root access? When I found the credentials using the compromised service, it gave me a long list of the credentials of other users, so why would his be the most important? I’m just trying to understand the logic flow of the lab.

I have the same Problem, i cant find no Passowr of no user. Please give me a hint wich password.list i have to take to find passwords

I’ve tried hydra, cme and msfconsole for smb bruteforce and a specific password triggered for a lot of users (which I’m guessing is an error).

I’ve then tried to list the shares with these users and that password but got the error:

ERROR Domain for user _some_user_ need to be FQDN ex:domain.local, not domain

Could someone give a hint on how to get the foothold?

ok I was using user like user instead of .\user which was what the tools returned

I don’t think I would have ever tried the solution. lol That last step was a real face palmer. This box was actually too realistic.

There is a table that i can’t read using J**** creds in the m****, can’t login m***** as root.
I think D***** creds are in it, am i right?
Any advice?