This is a short write-up about the skill assessment lab Password Attacks module from Hack The box.
The Lab contains the following description:
Our client Inlanefreight contracted us to assess individual hosts in their network, focusing on access control. The company recently implemented security controls related to authorization that they would like us to test. There are three hosts in scope for this assessment. The first host is used for administering and managing other servers within their environment.
The following question should be answered:
Examine the first target and submit the root password as the answer.
Also, the lab contains three files to be used in the assessments, all related to password brute-forcing that will be used throughout the three skill assessments.
 |
| resource files |
A quick nmap scan revealed two open ports on the target machine:
• Port 21 (FTP): Used for file transfer.
• Port 22 (SSH): Used for secure remote access.
Since the goal is to gain access to the target, SSH seems like the logical choice. However, brute-forcing SSH (port 22) is notoriously time-consuming and inefficient. Instead, we’ll focus our brute-forcing efforts on the FTP service running on port 21, which is typically faster to crack.
 |
| nmap scan top 1000 ports |
With our target identified, it’s time to move on to brute-forcing. While SSH (port 22) is our ultimate goal, attempting to brute-force it directly would be inefficient and time-consuming. FTP (port 21), on the other hand, offers a faster path to crack the credentials.
For this task, I turned to Hydra, a powerful and versatile password brute-forcing tool. Hydra excels at testing large combinations of usernames and passwords across various services.
 |
| hydra -L username.list -P password.list ftp://<IP> |
some time later, the result came over:
 |
| user mike cracked |
With this credential, it made possible to access the machine though ssh.
 |
| mike account |
Seeking for information in the Mike's session, the root credentials could be easily found in the history log, as the password was used in a command.
 |
| root password in history |
The root password, which is the flag from this assessment was dgb6fzm0ynk@AME9pqu
Thanks for reading it!