InfoSec LAB

Authority_ansible-vault

Created: 3 min read

ansible-vault

At first, I was unsure of what this hash string is as I had never encountered one

looking it up online, I learned that hash format is used by ansible-vault, and it could be converted to crack-able hash format using ansible2john.

so i cleaned up the hash strings following the format and saved them into a file; ansible_hashes.yml

ansible2john

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ cat ansible_hashes.yml                                       
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438
 
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531
 
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764
 
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ ansible2john ./ansible_hashes.yml 
Traceback (most recent call last):
  File "/usr/bin/ansible2john", line 64, in <module>
    process_file(sys.argv[i])
  File "/usr/bin/ansible2john", line 43, in process_file
    salt, checksum, ct = unhexlify(ciphertext).split(b"\n")
binascii.Error: Non-hexadecimal digit found

This initially failed because ansible2john can only process one hash string at a time

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ nano pwm_admin_login 
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ nano pwm_admin_password.yml                                                                         
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ nano ldap_admin_password.yml
 
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ ansible2john pwm_admin_login.yml                                                                  
pwm_admin_login.yml:$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ ansible2john pwm_admin_password.yml 
pwm_admin_password.yml:$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5                 
┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ ansible2john ldap_admin_password.yml 
ldap_admin_password.yml:$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635

So I divided them, and it worked.

hashcat

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ cat hashes           
$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635

I also put the converted hash strings into a file

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ hashcat -a 0 -m 16900 hashes /usr/share/wordlists/rockyou.txt                                  
hashcat (v6.2.6) starting
 
minimum password length supported by kernel: 0
maximum password length supported by kernel: 256
 
hashes: 3 digests; 3 unique digests, 3 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
 
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5:!@#$%^&*
$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8:!@#$%^&*
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635:!@#$%^&*
 
session..........: hashcat
status...........: Cracked
hash.mode........: 16900 (Ansible Vault)
hash.target......: hashes
time.started.....: Mon Jul 17 17:55:44 2023 (56 secs)
time.estimated...: Mon Jul 17 17:56:40 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:     2124 H/s (10.07ms) @ Accel:256 Loops:128 Thr:1 Vec:8
recovered........: 3/3 (100.00%) Digests (total), 3/3 (100.00%) Digests (new), 3/3 (100.00%) Salts
progress.........: 119808/43033155 (0.28%)
rejected.........: 0/119808 (0.00%)
restore.point....: 38400/14344385 (0.27%)
restore.sub.#1...: Salt:2 Amplifier:0-1 Iteration:9984-9999
candidate.engine.: Device Generator
candidates.#1....: jonah1 -> prospect
hardware.mon.#1..: Util: 91%
 
started: Mon Jul 17 17:55:25 2023
stopped: Mon Jul 17 17:56:42 2023

and hashcat was able to crack all of them, and all of them shared the same password; !@#$%^&* This is because that cracked password is the ansible-vault password that used to encrypt the earlier strange hash strings

Decryption

┌──(kali㉿kali)-[~/…/smb/Development/Automation/ansible_hash]
└─$ cat ldap_admin_password.yml | ansible-vault decrypt 
Vault password: !@#$%^&*
Decryption successful
DevT3st@123                                                                                                     
 
┌──(kali㉿kali)-[~/…/smb/Development/Automation/ansible_hash]
└─$ cat pwm_admin_login.yml | ansible-vault decrypt   
Vault password: !@#$%^&*
Decryption successful
svc_pwm                                                                                                         
 
┌──(kali㉿kali)-[~/…/smb/Development/Automation/ansible_hash]
└─$ cat pwm_admin_password.yml | ansible-vault decrypt
Vault password: !@#$%^&*
Decryption successful
pWm_@dm!N_!23

Now, I am able to crack those ansible hash strings with ansible-vault

Interactive Graph View

Backlinks