Password Protected Writeup's Decryption instruction
Password Protected Writeup's Decryption instruction
Cancel

Password Protected Writeup's Decryption instruction

since hackthebox is following the new feature called flag rotation.Its not a good way to protect the writeups with the root flag because it changes everytime you reset the machine

For linux Machine (Using the root user hash in /etc/shadow)

When You own root on a machine you can read the content of /etc/shadow file

Simply Do a cat /etc/shadow and read the contents of the shadow file

1
2
cat /etc/shadow
root:$6$YIFGN9pFPOS3EmwO$qwICXAw4bqSjjjFaCT1qYscCV72BjFtx/tehbc7sQTJp09UJj9u83eBio1cLcaxyGkx2oDhJsXT6LL0FABlc5.:18277:0:99999:7:::

Now just copy whole the line from root to :::

And do the following command to convert this text to md5 hash

1
2
3
➜  ✗ echo root:$6$YIFGN9pFPOS3EmwO$qwICXAw4bqSjjjFaCT1qYscCV72BjFtx/tehbc7sQTJp09UJj9u83eBio1cLcaxyGkx2oDhJsXT6LL0FABlc5.:18277:0:99999:7::: | md5sum

02bece38cf6510fb40f19e7caa16e323

And you got 02bece38cf6510fb40f19e7caa16e323 just paste it in the writeup where it asks for password for decryption of writeup

For Windows (Using the NTLM hashes)

When you own a windows machine.You are allowed to get the NTLM hashes of all the users on the machine

TO get the NTLM hash you will be needed a tool called hashdump.exe

Simply transfer this tool to the windows machine and run it with option /samdump

1
2
3
4
PS C:\tmp> .\hashdump.exe /samdump
SAM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c:::

Now copy the full text from Administrator to ::: and Do the following command to convert it to md5 hash

1
2
3
➜ ✗ echo Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c::: | md5sum

27718aa318c30831d836074560f31d5c

Here we got 27718aa318c30831d836074560f31d5c just paste it in the writeup where it asks for password for decryption of writeup

By using secretdump (Windows)

If you have owned a machine.And you have the user Administrator's password ,You can get the NTLM hashes of user Administrator using secrectdump.Secretdump is a tool from impacket-tools

1
2
3
4
5
6
secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.182
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e06543aa40cbb4ab9dff:::

Now copy the full text from Administrator to ::: and Do the following command to convert it to md5 hash

1
2
➜  prashant ✗ echo Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e06543aa40cbb4ab9dff::: | md5sum
9ec906faff027b1337f9df4955f917b9

Here we got 9ec906faff027b1337f9df4955f917b9 just paste it in the writeup where it asks for password for decryption of writeup.

Remember to Use captital A in the Administrator as the first letter.

This post is licensed under CC BY 4.0

-

-

© 2020 Prashant Saini. All rights reserved.