Skip to content

TryHackMe Writeups

Passwordattacks

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
HackfinityBattle
HackfinityBattle
- HackfinityBattle
Adenumeration
Adenumeration
- Adenumeration
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Codeanalysis
Codeanalysis
- Codeanalysis
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Easyctf
Easyctf
- Easyctf
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Exploitingad
Exploitingad
- Exploitingad
Fileinc
Fileinc
- Fileinc
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Lateralmovementandpivoting
Lateralmovementandpivoting
- Lateralmovementandpivoting
Linprivesc
Linprivesc
- Linprivesc
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks Passwordattacks
  Table of contents
  - Table of contents
    
    Password Attacking Techniques
    
    Password Profiling #1 - Default, Weak, Leaked, Combined, and Username Wordlists
    
    Password Profiling #2 - Keyspace Technique and CUPP
    
    Offline Attacks - Dictionary and Brute-Force
    
    Offline Attacks - Rule-Based
    
    Online password attacks
    
    Password spray attack
Persistingad
Persistingad
- Persistingad
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
Redteamrecon
Redteamrecon
- Redteamrecon
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland

Password Attacks Banner

Password Attacks Logo

Password Attacks

This guide contains the answer and steps necessary to get to them for the Password Attacks room.

Table of contents

Password Attacking Techniques
Password Profiling #1 - Default, Weak, Leaked, Combined, and Username Wordlists
Password Profiling #2 - Keyspace Technique and CUPP
Offline Attacks - Dictionary and Brute-Force
Offline Attacks - Rule-Based
Online password attacks
Password spray attack

Password Attacking Techniques

Which type of password attack is performed locally?

Password cracking is done after the password hash has been extracted to get the password itself. Password guessing is usually done online towards a service.

Click for answer
Password Cracking

Password Profiling #1 - Default, Weak, Leaked, Combined, and Username Wordlists

What is the Juniper Networks ISG 2000 default password?

For this we can use one of the default passwords website provided. In this case I used https://default-password.info.

Juniper

Click for answer
netscreen:netscreen

Password Profiling #2 - Keyspace Technique and CUPP

Run the following crunch command: crunch 2 2 01234abcd -o crunch.txt. How many words did crunch generate?

After runnning the command we can see in the output how many lines are written to the file.
```
crunch 2 2 01234abcd -o crunch.txt
```

Click for answer
81

What is the crunch command to generate a list containing THM@! and output to a file named tryhackme.txt?

Lets break this down:

We need 5 characters
Special options using -t
Output to a file

The argument for special characters is ^.

Click for answer
crunch 5 5 -t THM^^ -o tryhackme.txt

Offline Attacks - Dictionary and Brute-Force

Considering the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the hash type?

We can use hash-identifier to find out what hash type this is.

Hash

Click for answer
SHA-1

Perform a dictionary attack against the following hash: 8d6e34f987851aa599257d3831a1af040886842f. What is the cracked value? Use rockyou.txt wordlist.

Lets first find out what the type of this hash is with hash-identifier.

Hash 2

Now we can look at the hashcat examples page what the correct argument for SHA-1 is.

Hash Type

Putting this together gives us the following command:

hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txt

Dictionary Attack

Click for answer
sunshine

Perform a brute-force attack against the following MD5 hash: e48e13207341b6bffb7fb1622282247b. What is the cracked value? Note the password is a 4 digit number: [0-9][0-9][0-9][0-9]

For this we need to use the -a argument and the correct chartset from the help page.

hashcat -a 3 m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?d

Brute Force

Click for answer
1337

Offline Attacks - Rule-Based

What syntax would you use to create a rule to produce the following: "S[Word]NN where N is Number and S is a symbol of !@?

For this we must use the knowledge we just learned.

It begins with the special character
Then the word
Lastly two digits

Click for answer
Az"[0-9][0-9]" ^[!@]

Online password attacks

As mentioned above, lets first create a custom wordlist based on a website using cewl.

cewl -m 8 -w clinic.lst https://clinic.thmredteam.com/

Can you guess the FTP credentials without brute-forcing? What is the flag?

We can try to look for words in our wordlist, but something even easier for ftp is anonymous login. We can see if this is enabled using nmap.

nmap -sV 10.10.207.111
nmap -A 10.10.207.111

Nmap

Nmap All

Looks like anonymous login is allowed.

We can now look for the flag.

FTP Flag

Click for answer
THM{d0abe799f25738ad739c20301aed357b}

In this question, you need to generate a rule-based dictionary from the wordlist clinic.lst in the previous task. email: pittman@clinic.thmredteam.com against MACHINE_IP:465 (SMTPS).

What is the password? Note that the password format is as follows: [symbol][dictionary word][0-9][0-9].

sudo vi /etc/john/john.conf

[List.Rules:THM-Password-Attacks]
Az"[0-9][0-9]" ^[!@]

John Config

john --wordlist=clinic.lst --rules=THM-Password-Attacks --stdout > wordlist.txt

Now we can use Hydra to attack the smtps service with the wordlist created with John.

hydra -l pittman@clinic.thmredteam.com -P wordlist2.txt smtps://10.10.155.132 -Vv

SMTP Password

Click for answer
!multidisciplinary00

Perform a brute-forcing attack against the phillips account for the login page at http://MACHINE_IP/login-get using hydra? What is the flag?

For this we will use the same word list, but a different username and attack method. We first need to find out what the format of the request is.

HTTP Form

Here we see the format and the error message we get when attempting to login using wrong credentials.

For Hydra we will then use the following command:

hydra -l phillips -P wordlist2.txt 10.10.155.132 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:F=failed"

Unfortunately, it never seemed to take to failed condition. Using a success condition somehow did work.

S=logout.php

HTTP Password

Now we can login with these credentials and find the flag.

HTTP Flag

Click for answer
THM{33c5d4954da881814420f3ba39772644}

Perform a rule-based password attack to gain access to the burgess account. Find the flag at the following website: http://MACHINE_IP/login-post/. What is the flag?

Note: use the clinic.lst dictionary in generating and expanding the wordlist!

First thing we need to do is expand the previously created clinic.lst using johns single-extra rule.

john --wordlist=clinic.lst --rules=Single-Extra --stdout > wordlist-http.txt

We should also check the form page and get the failed login attempt message.

HTTP Post Form

Note: Unfortunately, this again wouldn't work with the F argument. So I opted to use the S argument instead.

Now we can use hydra to attack the post form.

hydra -l burgess -P wordlist-http.txt 10.10.155.132 http-post-form "/login-post/index.php:username=^USER^&password=^PASS^:S=logout.php"

HTTP Post Password

Now we only have to log into the page and get the flag.

HTTP Post Flag

Click for answer
THM{f8e3750cc0ccbb863f2706a3b2933227}

Password spray attack

Perform a password spraying attack to get access to the SSH://10.10.155.132 server to read /etc/flag. What is the flag?

We first create the following username list with nano.

nano usernames-list.txt   

admin
phillips
burgess
pittman
guess

Now we must create a password list as well. Using the hint, we can narrow down the list and rules to make. Lets start with a text files containing the following:

Spring202
Fall202
Summer202
Winter202

Now we add the following rule to John:

[List.Rules:THM-Password-Spray]
Az"[0-1][!@]"

Spray Config

Now we can use these 2 lists in hydra to crack the SSH password.

hydra -L usernames-list.txt -P wordlist-spray.txt ssh://10.10.155.132 -T 4

Spray Hydra

Use these to login to SSH.

Spray SSH Login

Nothing was found in the user folder, so I looked at the history which might give us a hint to the flags location. Lo and behold it did! Otherwise, I would have made a search query for the file using:

find / -name flag 2>/dev/null

Spray Flag

Click for answer
THM{a97a26e86d09388bbea148f4b870277d}