Password attacks "Passwd, Shadow & Opasswd"

Hello, i’m stuck as well but earlier. I dont know how to get s** cred. Can u give me a hint to start this section?

which mutated pass list i use i am in very confusion plzz tell me or give me a hint i tried the all mutated password i tried the custom.list and kira passwd custom list too

tried to cp the passwd/shadow files to perform the unshadow command but no correct privileges therefore these files must be there somewhere on the target machine to be able to continue the cracking using the hashcat with all given information in the resources file

you are heading on the right direction

I have unshadowed the hashes and mutated the password with 90k+ passwords and trying brute forcing with hashcat but shows ‘Exhausted’.!
NOT CRACKED
Can anyone help me?

I have used: hashcat -m 1800 -a 0 unshadowed.hashes mut_password1.list -o unshadowed.cracked

But root password not cracked. Can you help?

it will crack two root passwords but there is a second one I just used the mut_password1.list which you helped me sed it after around 12 minutes

unshadow X.bak X.bak > unshadowed.hashes
hashcat -m 1800 -a 0 unshadowed.hashes mut_password1.list

I used the first mutates wordlist with 186850 words and it didn’t crack. Do we use the Kira wordlist?

I just got the answer using another tool. I had the answer in my list hashcat was not reading it for some reason, but it worked with the other tool.

Dear, I successfully got the unshadow file, but I cannot crack the file, Any Hints?
-Should I try to get s** user creds?
-Any Other hints in the target host?
-Or crack the unshadow file with the mutation pw list ?

Thanks

did you ever figure this answer out im having such a hard time could you help me please

Can anyone give me a hint as to what I am doing wrong?

I moved to the machine with Will’s credentials and found the needed files. I checked the md5hash before transferring and after. Both .bak files were transferred correctly. Then I unshadowed them and started cracking. I tried several lists as mentioned in this threat already - without any luck!

When I start hashcat there are a lot of hints, such as

Hashfile ‘unshadowed.hashes’ on line 2 (daemon…emon:/usr/sbin:/usr/sbin/nologin): Token length exception

Might this be the error? Is something wrong with the unshadowed file?

UPDATE: I was able to reduce the messages about “length exception” by reducing the file to just the root user. BUT… still not able to crack the password with hashcat. JOHN did well! If you stuck try JOHN.

I for some reason cannot find Will’s passowrd.
I used the resources provided on the lab, mutated the password with the custom rule, and I tried using the ftp and smb ports that are open on the target, but even after waiting for hours to finish the entire dictionary, the password cannot be found.

Can someone point me where I’m doing it wrong?

Hello! There are backup copies of passwd and shadow in /tmp, download and everything will work out

Don’t overcomplicate it

Find some backup file → simple copy out the root hash → hashcat works in autodetect mode, if you use an earlier created mutated wordlist it will crack it within a minute in a VM

1 Like

I have created a file with the hash of the passowrd Kira in 2 type:

hashestocrack1.txt

kira:$6$Qsp/wU8vd2AfZLNX$C9jsDq36v3SjM8J1RNgrPkvFUxmOUoHcLUhLFVSCxjH1OcmfOsYaOyV4Flq03xEws8EpIbqkGswGRkrfhMCS9.:1000:1000::/home/kira:/bin/bash

hashestocrack2.txt

$6$Qsp/wU8vd2AfZLNX$C9jsDq36v3SjM8J1RNgrPkvFUxmOUoHcLUhLFVSCxjH1OcmfOsYaOyV4Flq03xEws8EpIbqkGswGRkrfhMCS9.

Later I have put in the password.list the real password of the user Kira. When I exec HashCat, he can’t find the password.

hashcat -m 1800 -a 0 hashestocrack1.txt /tmp/password.list
#or
hashcat -m 1800 -a 0 hashestocrack2.txt /tmp/password.list

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: $6$Qsp/wU8vd2AfZLNX$.......................................hMCS9.
Time.Started.....: Fri Mar 29 23:20:50 2024 (0 secs)
Time.Estimated...: Fri Mar 29 23:20:50 2024 (0 secs)
Guess.Base.......: File (/tmp/password.list)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2127 H/s (9.37ms) @ Accel:64 Loops:512 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests
Progress.........: 205/205 (100.00%)
Rejected.........: 0/205 (0.00%)
Restore.Point....: 205/205 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4608-5000
Candidates.#1....: 123456 ->

Why? The real password, I am sure is correct in the password.list

Try studying authentication and authorization methods on UNIX-like systems to understand how shadow password files work and how you can access user passwords through them. This may require using various tools and techniques to read the encrypted passwords from the shadow password file. Refer to the documentation for security auditing and system file analysis tools for more information on techniques for working with shadow password files.

1 Like

Hi Annabelle,

in this case, the problem was another. The tools don’t print on the standard output, so, for see a results, we need to specify the -o filename.output and later we need to read this files, for reading the password.

I hope this helps others, but I took it for granted that if I hadn’t specified the writing to the files, I would have seen the result on the screen

1 Like

Yeah, had the same issue. The cracked ones didn’t display in stdout unless I visited the output file.

  1. ls -alt → then you will find the .backups folder
  2. transfer the files to your local machine pytohn3 -m http.server → wget http://attack_ip:port/filename
    3 → crack the password
2 Likes