This is a writeup of the TryHackMe room “John The Ripper” from the creator PoloMints.
Task 1: John who?
Task 1. is about what hashes are, what makes hashes secure and where hashes comes in.
Answer: No answer needed.
Task 2: Setting up John the Ripper
Task 2 is about setting up John the Ripper for the different distributions.
Question: What is the most popular extended version of John the Ripper?
Answer: Jumbo John
Task 3: Wordlists
The 3. task is about wordlists as you need as directonary attacks on hashes, you need list of words to do so. In 2009 RockYou.com suffered a data breach that resulted in the exposure of over 32 Million user account. RockYou stored all the user account data in plain text in their database, exposed all information to attackers
Answer: RockYou.com
Task 4: Cracking Basic Hashes
Task 4, shows how to crack basic hashes with John. This section also shows basic John syntax with john:john[path to wordlist][path to file]Automatic cracking with wordlistsjohn --wordlist=[path to wordlist] [path to file]
Identifying Hashes with a python tool called hash-identifier.python3 hash-identifier.pyand Format-Specific Cracking.john --format=[format] --wordlist=[path to wordlist] [path to file]
So for the Practical we need to download “firsttaskhashes.zip” from this task section and get the hash identifier with wget.
Question: What type of hash is hash1.txt?
First we unzip the zip file and then cat the file hash1.txt and copy it.
Then we run hash.ip.py with python3 hash-id.py and paste the hash in.
Output from the hash identifier is that is is possible MD5 or MD4. Trying the first one we get the right answer.
Anwer: MD5
Question 2: What is the cracked value of hash1.txt?
We use:
john — format=raw-md5 — wordlist=/usr/share/wordlists/rockyou.txt hash1.txt
and john hash1.txt — show — format=raw-md5 to see the password.
Answer: biscuit
Question 3: What type of hash is hash2.txt?
We do the same procedure as in hash1.txt.
We copy the hash2.txt text and identify the hash with hash-id.py.
This time we get SHA-1 or SHA1 as answer.
Answer: SHA1
Question: What is the cracked value of hash2.txt
Answer: kangeroo
Question: What type of hash is hash3.txt?
Possible SHA256 or Haval256.
Answer: SHA256
Question: What is the cracked value of hash3.txt?
Answer: microphone
Question: What type of hash is hash4.txt?
This time we see it is either SHA512 or Whirlpool. If we try both we can see that Whirlpool is the correct answer.
Answer: Whirlpool
Question: What is the cracked value of hash4.txt
As the hint say you don’t need to put raw after — format-
Answer: colossal
Task 5: Cracking Windows Authentication Hashes
This section is about cracking Windows hashes and NTHash / NTLM
Question: What do we need to set the “format” flag to, in order to crack this?’
Answer: NT
Question: What is the cracked value of this password?
We do need to download the file from this section and do the same as last section except we know what kind of hash it is and set the format to nt
Answer: mushroom
Task 6: Cracking /etc/shadow Hashes
This section is about cracking /etc/shadow hashes unshadowing.
Question: What is the root password?
We first need to download the file from this section and then use john towards it with format sha512crypt
Answer: 1234
Section 7: Single Crack Mode
This section is about the single crack mode in John. In this mode we don’t need a wordlists, but rather put the flag “--single”, “--format and path to file.
Question: What is Joker’s password?
We need to download this hash from this section and we need to find out what kind of hash it is.
Now we know it’s MD5 and we need to change the hash to joker.
We can know crack it.
Answer: Jok3r
Section 8: Custom Rules
In this section we learn about custom rules for John. John have an own docs documents online where we can see different rules that can be applied to john. This can be found here.
The way we use custom rules in john are like this:
john --wordlist=[path to wordlist] --rule=PoloPassword [path to file]
Question 1 : What do custom rules allow us to exploit?
Answer: Password complexity predictability
Question 2: What rule would we use to add all capital letters to the end of the word?
Here I had to use https://www.openwall.com/john/doc/RULES.shtml to read upon what the different commands do and eventually was able to find the right command.
Answer: Az”[A-Z]”
Question3: What flag would we use to call a custom rule called “THMRules”
it was mentioned earlier that we use rules with --rule= so all we have to do is att THMRules after.
Answer: --rule=THMRules
Section 9: Cracking Password Protected RAR Archives
In this section we learn about cracking password protected RAR Archive.
rar2john can be found if you have john. All you need to do is locate where it is located and copy rar2john to your folder.
Note: The location may be different on others machine than it is on mine.
Question 1: What is the password for the secure.rar file?
First we need to make the file secure.rar to a hash file. So we need to run rar2john towards secure.rar and create the hash.
Then we use the wordlists rockyou to crack it and get the password.
If you don’t have unrar. You can install it with the command
Sudo apt install unrar
Then you write unrar e secure.txt to open it and it will extract the file.
Section 10: Cracking SSH Keys with John
This section is about cracking SSH keys with John. It is the same princple as last section where you need to locate ssh2john and copy it to your folder. This is created in python so you need to type python to run it.
Question 1: What is the SSH private key password?
Now you can use the same wordlists as before to crack the SSH.
Answer: mango
Task 11: Further reading
No questions
Task 12: Cracking Password Protected Zip Files
This section was probably supposed the be before Section 9. But it’s the same concept. In this section we learn about cracking password protected Zip files with zip2john.
You locate where zip2john are. Copy it to your directory and use it towards the file you downloaded from this task.
Question: What is the password for the secure.zip file?
Now we use john to crack the hash.
In this file we can see the password.
Answer: pass123
Question 2: What is the contents of the flag inside the zip file?
We can now unzip the file and read the flag.
We are now finish.
Thanks for following and reading my writeup.
This room is beginner friendly and can help new people to get fimiliar with JohnTheRipper and is quite useful to crack hashes.
Written by Robertz25
