• Run sudo apt install seclists
• Now, ssh into the box using the username and password.
• Run tail -n 3 /etc/passwd as well as tail -n 3 /etc/shadow

• Run sudo apt-get install john

• sudo unshadow etc_passwd.txt etc_shadow.txt > /tmp/crack.password.db

• Unzip the rockyou list with sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

• Run grep -E '(\w{11,})' /usr/share/wordlists/rockyou.txt > /home/<user>/rockyou_small.txt

• To make sure it will run, run rm /home/<user>/.john/john.rec

• Perform the password crack with john --wordlist=/home/<user>/run_john.txt /tmp/crack.password.db

• Now, run the following to generate a SHA512 hash for the password with the passlib library. It will do 1000 rounds of hashing, and uses the salt provided.

cat /tmp/crack.password.db | grep gandalf


python3 -c "from passlib.hash import sha512_crypt
print(sha512_crypt.hash('gandalfrockyou',rounds=1000,salt='LneEppAvGXMREfOV'))"

cat /tmp/crack.password.db | grep galadriel

python3 -c "from passlib.hash import sha512_crypt
print(sha512_crypt.hash('galadrielarwen111',rounds=1000,salt='poPWvLT'))"

cat /tmp/crack.password.db | grep boromir

python3 -c "from passlib.hash import sha512_crypt
print(sha512_crypt.hash('BoRomir2000Z',rounds=1000,salt='UvKLGar/VWtqFGCE'))"

- Just to make the passwords permanent: 
  - `sudo unshadow etc_passwd.txt etc_shadow.txt > /home/<user>/unshadowed.txt`
hashcat -m 1800 -a 0 -o cracked_hashes.txt /tmp/crack.password.db rockyou_small.txt

• You should now be able to open the cracked_hashes.txt file and see the passwords that were cracked. Yipee!!

This lab was the coolest we've done so far in my opinion. I had never really seen the methodology behind password guessing/hash cracking before, and it was really cool doing it on my own. This gives me a lot less confidence in string passwords or short passwords ending with 2 numbers like the ones set up in our environment, as well as a lot of confidence in password managers that let you generate passwords. I use Bitwarden to protect all of my passwords and have a very complex master password, and I do not think it could be cracked using this method - but it is still really cool to see how the process works. It gives me a lot of insight into how those who may not be savvy in cybersecurity and protecting their passwords could be targeted if their passwords appear in a data leak or are guessed.