Wordlist:

salesmanoftheyear3

password123

bearsbeetsbattlestargalactica

[email protected]

beatsarethebest

bearsbeets

 

 

1. Login to the server.

 

2. Find the hidden file in your home directory. Follow the directions.

Divider Line

*****NOTES****

  • You will be using 2 tools to complete this challenge, Hydra and Hashcat. Both are available for Linux, Windows and MacOS
  • HYDRA
    • You will use Hydra with the username “dwight.schrute” to attempt  a login to the server via SSH. You will need to build a wordlist (a simple text file) with the wordlist above.
    • EXAMPLE COMMAND:
      • sudo hydra -l “username” -P mywordlist.txt *serveripaddress* ssh
  • HASHCAT
    • You will need 2 files for hashcat.
      • WORDLIST
        • Just like Hydra, you will need to build a wordlist. This wordlist can be found on the server 50.116.24.84, but you’ll need to hack into it first using Hydra (the previous step)
      • HASHES FILE
        • You won’t find passwords in plain text stored on a server. Instead, the server will HASH these passwords, or put it through a crazy mathematical algorithm, and turn it into what looks like gibberish. That is our hash.
        • I’ve provided a single HASH in a file on the server 50.116.24.84. You’ll need to create a simple text file containing this hash. 
        • Using the wordlist, you’ll use hashcat to put each password through the hashing process to see if it matches the provided hash, until you find a match. (and, you will, if you do it right)
    • EXAMPLE command
      • sudo hashcat -a 0 -m 1800 -o mycrackedpassword.txt myhashfile.txt mywordlist.txt