Brute It: TryHackMe: Writeup:-

fig-1.0

Hi,

This post is about Brute It room on TryHackMe.Com. This room is free for everyone so everyone can join it. its a simple easy and beginners level CTF. Its mostly based on cracking hashs.

Description: A guide to complete Brute It CTF on tryhackme.

Task 1: About this box

In this box you will learn about:

• Brute-force
• Hash cracking-
• Privilege escalation

Task 1.1: Deploy the machine

No answer needed

Lets start the machine and grab the IP Address. Shown in fig 2.0:

fig-2.0

Task 2: Reconnaissance

Lets run a Nmap scan against the target machine and find some information about the target. Shown in fig 3.0

fig- 3.0

Task 2.1: Search for open ports using nmap. How many ports are open?

2

Task 2.2: What version of SSH is running?

OpenSSH 7.6p1

Task 2.3: What version of Apache is running?

2.4.29

Task 2.4: Which Linux distribution is running?

Ubuntu

In the machine there is port 80 open lets a look of it in our browser.Shown in fig 4.0:

fig- 4.0

Its running apache default page lets find is there any hidden directories running on the site. We will do it by using Gobuster tool. shown in fig 5.0:

fig- 5.0

Task 2.5: Search for hidden directories on web server. What is the hidden directory?

/admin

Lets look at that page, its a login page.Shown in fig 6.0:

fig 6.0

Now lets a look on the source code of the page and here we got username and the username is admin(fig 7.0):

fig- 7.0

Lets find out the password buy doing brute force attack using Rockyou.txt list by Hydra tool by using following command (fig -8.0):

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt [Machine IP] http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:Username or password invalid” -f

fig- 8.0

Wow! we got password.

Task 3: Getting a shell

Task 3.1: What is the user:password of the admin panel?

admin:xavier

Now lets login by using username and password we found and lets see what we get:

We get Web flag and RSA private key. Shown in fig 9.0:

fig- 9.0

Now we have RSA key by using it we can log into ssh but we have to crack the RSA passphrase so we do it by using John The Ripper tool By following command(shown in fig 10.0 and 11.0:

$ cd /usr/share/john

$ python ssh2john.py rsa_key > rsa_hash

$ john rsa_hash — wordlist=/usr/share/wordlists/rockyou.txt

fig- 10.0

fig- 11.0

Wow! we got RSA passphrase now we are able to login to ssh using the RSA_Key

Task 3.2: What is John’s RSA Private Key passphrase?

rockinroll

Now lets login to that ssh account using following command(fig 12.0) :

$ chmod 600 rsa_key

$ ssh -i rsa_key john@Machine Ip

fig 12.0

Wow! now we are in and we found user.txt(fig 13.0):

fig- 13.0

Task 3.3: user.txt

THM{a_password_is_not_a_barrier}

Task 4 Privilege Escalation

Now lets see how we can get root.txt, lets the following command(shown in fig 14.0):

$ sudo -l

fig- 14.0

In this picture we can see we can use cat command as root user without password so lets try to read the /etc/shodow file that contains all password hashs we needed root password hash we can read it by following command(fig 15.0):

$ sudo cat /etc/shadow

fig 15.0

$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.

we got he root password hash, lets crack it by John first save hash in root_hash file then crack it by following command (fig 15.0):

john root _hash — wordlist=/usr/share/wordlists/rockyou.txt

Wow! we got root password:

Task 4.1: What is the root’s password?

football

Lets read the the root.txt and get root flag by following command (fig 16.0):

$ su

# cat /root/root.txt

fig- 16.0

Task 4.2: root.txt

THM{pr1v1l3g3_3sc4l4t10n}

OSM! we solved the Brute it room. Thank for be here and read this post.

See you in another Article………