Summary

In this lab we dumped information in /etc/passwd and /etc/shadow, determined the hash type and decrypted the passwords to find the plaintext password for multiple accounts.

Procedure

Grabbing password hashes:

Starting with an elevated user, cat /etc/passwd and /etc/shadow. Using any method you like, exfiltrate the information in these files to your machine.

Use the command unshadow to combine the information. User information is stored in /etc/passwd while the password is stored in /etc/shadow (on most unix based machines). Combining the files with unshadow is important for password cracking.

unshadow /etc/passwd /etc/shadow > unshadowed.txt

In the image attached, I catted /etc/shadow, this provides us with the following information:

The unwritten info is important for other use-cases, but for this lab it isn't necessary to include.

If you dont know what hash type your password hash is, you can usually just check it using this handy wiki link: https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt

Using JohnTheRipper (JtR)

---

JtR is a tool used for hash cracking, you need to provide a wordlist and the file containing the unshadowed hashes (unshadowed.txt in my example above).

IMPORTANT: IF YOU DO NOT GIVE IT A WORDLIST FILE IT WILL GO TO INCREMENTAL MODE AND TRIES ALL POSSIBLE MATCHES, I WAITED 35 MINUTES BEFORE REALIZING WHAT HAPPENED

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt unshadowed.txt

This provides us with the matching plaintext words that, when rehashed, result in the same exact hash as the ones provided in unshadowed.txt

Using Hashcat

---

Hashcat is pretty similar to JtR as in it does the same thing, you provide it a wordlist, an output file and a list of hashed passwords.

hashcat -m 1800 -a 0 -o outputd.txt unshadowed.txt wordlist.txt