This is a short write-up about the skill assessment lab Password Attacks module from Hack The box.
The lab contains the following description:
Our next host is a workstation used by an employee for their day-to-day work. These types of hosts are often used to exchange files with other employees and are typically administered by administrators over the network. During a meeting with the client, we were informed that many internal users use this host as a jump host. The focus is on securing and protecting files containing sensitive information.
The following question should be answered:
Examine the second target and submit the contents of flag.txt in /root/ as the answer.
Also, the lab contains three files to be used in the assessments, all related to password brute-forcing that will be used throughout the three skill assessments.
 |
| resource files |
A quick nmap scan revealed three open ports on the target machine:
• Port 22 (SSH): Used for secure remote access.
• Port 139 (SMB): Used for file and printer sharing.
• Port 445 (SMB): Also used for file sharing over the network.
 |
| open ports |
Initial tests using an anonymous user on the SMB port revealed a public shared drive named SHAREDRIVE.
 |
| smb shares |
Connecting to the share, we can find a Docs.zip file, the next step is to look into it.
When attempting to unzip Docs.zip, we encountered a password prompt, requiring us to crack the password to proceed.
 |
| smb share and exposed file |
When attempting to unzip Docs.zip, we encountered a password prompt, requiring us to crack the password to proceed.
 |
| trying to unzip Docs.zip |
To tackle this, I used John the Ripper, a powerful tool for offline password brute-forcing, capable of handling zip files and many other formats.
The first step was to convert the zip file into a format that John can process using the zip2john utility. This generates a hash file that serves as input for the cracking process.
 |
| zip2john |
With the hash file ready, the next step was to run John and supply the password.list file as the wordlist for the brute-force attack.
 |
| john with password.list |
As shown in the previous image, the password.list file did not contain the correct password to crack the zip file. This is where the third file, custom.rule, comes into play.
Using the custom.rule file alongside the original password.list, we can generate a new wordlist by applying password mutations. These mutations include techniques such as appending numbers, substituting letters with similar-looking numbers, or other common password variations. This increases the chances of finding the correct password by accounting for common password creation patterns.
To create a password mutation file, we can use the Hashcat tool with the following command:
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
This command applies the rules from custom.rule to the original password.list to generate a new wordlist, mut_password.list, with variations like adding numbers or substituting letters. The sort -u ensures the output is unique and sorted. This file can then be used for further cracking attempts.
 |
| hashcat pw mutation |
Finally, using the mutation password list, the password could be successfully cracked.
 |
| john with mut_password.list |
Using this password, we were able to successfully unzip the Docs.zip file, which contained a single file: Documentation.docx.
 |
| unzip with cracked password |
Upon attempting to open Documentation.docx, I was surprised to discover that this file is also password-protected, requiring yet another step to crack it.
 |
| docx password prompt |
To tackle this, we can once again use John the Ripper, along with the office2john utility. The office2john tool converts the password-protected .docx file into a hash format that John can process for brute-forcing the password.
 |
| office2john |
Finally, using the mut_password.list, we can crack the Documentation.docx file password.
 |
| docx password cracking |
The Documentation.docx file contains instructions for setting up an application locally. It also reveals credentials for a user named Jason.
 |
| part of doc content |
Using these credentials, we can successfully SSH into the machine.
 |
| ssh jason |
After exploring the machine, I discovered another user named Dennis, who could potentially be used for lateral movement. Additionally, I found a MySQL service running on the system, which might provide further opportunities for exploitation.
 |
| mysql check |
 |
| dennis' home |
Using Jason’s credentials, I was able to connect to MySQL and found a database called users.
 |
| mysql connected as jason |
Finally, Dennis’s credentials were found in the creds table within the database.
 |
| dennis creds |
The password worked, allowing access to Dennis’s account.
 |
| su dennis |
Checking Dennis’s command history, the first line shows a command to create an SSH key, which is located in the .ssh folder.
 |
| history - dennis |
I transferred the SSH key file to the attack box via SMB to attempt using it for SSH access as root.
 |
| transferring id_rsa |
I tried using the SSH key, but it was password-protected, and Dennis’s password didn’t work.
 |
| id_rsa password prompt |
Once again, I used John the Ripper and its ssh2john utility to generate the hash file and successfully crack the password.
ssh2john id_rsa > id_rsa.hash
john --wordlist=mut_password.list id_rsa.hash
With the cracked password, I unlocked the SSH key, connected as root, and captured the root flag.
 |
| root flag |
Thanks for reading it!