Password Cracking Basics 1.3 Practice - Challenge Exercise

Hello I need some Guidance on this lab. I feel like I keep running into a brick wall. I’ve been trying this for weeks now. And this feels like its missing information. Here is the instructions:

Here’s the deal – you’re a pro now, and word is getting around about your performance in that last section. So much so that you have a new client.

Your client maintains a website at psybrary where your team has conducted some initial recon and discovered a serious misconfiguration: the .htpasswd file is accessible through the website! This file contains usernames and password hashes for enforcing HTTP Basic Authentication – the simplest technique for restricting access to web resources. The .htpasswd file should never be available in the URL space… tsk tsk.

Your team has provided the URL to the exposed .htpasswd file: psybrary and they expect you’ll be able to take care of the rest. Good thing you’ve brought your Notes for reference. Give them a quick review, then begin your Mission!

Notes
https://hashcat.net/wiki/doku.php?id=example_hashes
hashid -m -e
cewl -w custom.txt https://site-to-scrape
hashcat --stdout -r wordlist.txt | uniq -u >> new_wordlist.txt
Hashcat -a # -m # [wordlist or mask]

Mission
Perform a dictionary attack to crack the user password hash in the .htpasswd file.

Tip - There’s a website linked from the Inspirations page that would be great fodder for a custom wordlist…

Another Tip - Every good cracker mangles with /usr/share/hashcat/rules/best64.rule
Use your new credentials to access the Members Only area of the website.
Crack the passcode you discover in the Members Only area.

  • One Task asks for Helena’s password. I have searched almost everything that is attached to the Inspirations page or link, for the URL to use the Cewl Site scraper. Is it something Im missing. Please assist. Thank you.

To add to this the site is http://psybrary.com/.htpasswd