Tuesday, December 17, 2019

Cracking Couchbase Admin Password

First, find config.dat on the server. In config.dat, find the string "plain", e.g.

h m\0\0\0 plainm\0\0\00bl/nSj6e7vZS5KQqHmoTER7Z4cgTcDSL5vZTeaaFEAqCpxpLh m

take 0'b...'h - lose the initial '0' and the trailing 'h' - and base64 decode, then ASCII hex encode to get

6e5fe74a3e9eeef652e4a42a1e6a13111ed9e1c81370348be6f65379a685100a82a71a4b

salt is first 16 bytes , hmac result is next 20 bytes

salt 6e5fe74a3e9eeef652e4a42a1e6a1311
hmac 1ed9e1c81370348be6f65379a685100a82a71a4b

For hashcat construct as

hmac:salt, so like this for my example:

1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311

Then crack with hashcat mode 160 and --hex-salt :

hashcat64.exe -m 160 ..\salt-n-mac.txt ..\dict\Top32Million-probable.txt -w3 --hex-salt -O  -r rules\InsidePro-PasswordsPro.rule

..

1ed9e1c81370348be6f65379a685100a82a71a4b:6e5fe74a3e9eeef652e4a42a1e6a1311:password


How did we get here?


I should point out this comes from much trial and error and reading the erlang source code. If I could read erlang better, I would probably have taken less time to get there.


No comments:

Post a Comment