Password Cracking Basics 1.3 Practice - Challenge Exercise

Hello I need some Guidance on this lab. I feel like I keep running into a brick wall. I’ve been trying this for weeks now. And this feels like its missing information. Here is the instructions:

Here’s the deal – you’re a pro now, and word is getting around about your performance in that last section. So much so that you have a new client.

Your client maintains a website at psybrary where your team has conducted some initial recon and discovered a serious misconfiguration: the .htpasswd file is accessible through the website! This file contains usernames and password hashes for enforcing HTTP Basic Authentication – the simplest technique for restricting access to web resources. The .htpasswd file should never be available in the URL space… tsk tsk.

Your team has provided the URL to the exposed .htpasswd file: psybrary and they expect you’ll be able to take care of the rest. Good thing you’ve brought your Notes for reference. Give them a quick review, then begin your Mission!

Notes
https://hashcat.net/wiki/doku.php?id=example_hashes
hashid -m -e
cewl -w custom.txt https://site-to-scrape
hashcat --stdout -r wordlist.txt | uniq -u >> new_wordlist.txt
Hashcat -a # -m # [wordlist or mask]

Mission
Perform a dictionary attack to crack the user password hash in the .htpasswd file.

Tip - There’s a website linked from the Inspirations page that would be great fodder for a custom wordlist…

Another Tip - Every good cracker mangles with /usr/share/hashcat/rules/best64.rule
Use your new credentials to access the Members Only area of the website.
Crack the passcode you discover in the Members Only area.

  • One Task asks for Helena’s password. I have searched almost everything that is attached to the Inspirations page or link, for the URL to use the Cewl Site scraper. Is it something Im missing. Please assist. Thank you.

To add to this the site is http://psybrary.com/.htpasswd

I am having difficulty getting thru this lab too! What’s baffling me is the “Tip” that says there’s a website linked from the “Inspirations” page that would be great fodder for a custom wordlist. I’ve taken dozens of labs, and this is the first I’ve ever heard of an Inspirations page. Where is it? How can you scrape a site for some possible fodder for a wordlist if you don’t have the address for the site?

Did you visit the psybrary.com website referenced in the instructions? It’s a (fictional) website that’s hosted internally within this lab environment as part of the scenario for this challenge.

If you navigate to that website, you should see a page titled Our Inspirations.

2 Likes

I totally overlooked checking out the psybrary.com website (feel like a dummy). Thanks a lot for your help - much appreciated.

1 Like

Also wanted to say thanks for the email too - alerting me to check out the website. I feel confident that I will be able to complete the challenge now (thanks to the extra help you gave). I’m really enjoying my experience on Cybrary - I will definitely recommend to anyone pursuing a career in security.

3 Likes

Thanks! Glad to hear it!

Thank you, for your assistance. I was able to figure out the lab. I overlooked that website and I added more URLS to scrape. Made more work for myself.

2 Likes

Hello, I am new with you and I want to learn hacking. Is there any way for me to learn it and apply it from a phone only?

Hey there! You should be able to work through most of our Courses with just a phone, as well as the Core Concepts lessons in any of the Virtual Labs, but for the hands-on portions of the labs, you’ll need a laptop or desktop computer - just as you would if you were involved in a real ethical hacking engagement.