There are times we need to navigate around the contents of our P4WNP1. This could be to update a wordlist, enable or disable a payload, or to view a hash that was captured from a target machine to crack outside of the P4WNP1 using something like hashcat. Here’s how we do it:

When we launch SSH we should see a screen like this:

We want to see what files or folders are in the directory our shell spawned us in. so we use the “ls” command to list the files and folders.

We see that there is a directory called P4wnP1. We know it’s a directory because it is blue. We now want to change our current location to that directory. we do this by using the “cd” command which you can see used above.

Now we should be in the P4wnP1 directory- and we want to see what files and folders we have here. Again we’ll type the “ls” command.

Some files and directories to mention in here to note for us.

• ”collected” directory will appear here after you have used the LockPicker payload, this will store files of the NTLMv2 hashes that have been collected and a copy of the NTLMv2 hashes that it has cracked.
  • These files are named by the computer name then the date.
• “john” directory is where John the Ripper lives, this directory contains a file called “.lst” and has a list of words of weak passwords.
  • This can be modified to add additional words. To see the LockPicker work on your computer without changing your own password to something weak, add it to the list and watch it go!
• “setup.cfg” is a file, we know this because it is gray when we run a “ls” command. The setup file contains configuration settings for our P4WNP1.
  • This is were we can toggle on or off our different payloads.

Let’s look at how to edit our setup.cfg file to TURN OFF our LockPicker payload.

nano setup.cfg

We see a lot of “#” symbols. These symbols act as a “comment” for the line and anything after the # is ignored when the script is being read. If we use our down arrow key we can move our way down to toward the bottom to a sections called:

# =====================
# Payload selection
# =====================

Below this we see a bunch of Payload scripts. We can see that “PAYLOAD=network_only.txt” does not have a # before it. This means that this payload is ENABLED. You’ll also see that the payload “PAYLOAD=Win10_LockPicker.txt” also does not have a # next to it. This means it too is ENABLED. If we want to disable it we simply put a # in front of it and save our file by hitting ^O then Enter. Then ^X to exit the file from our text editor, nano.