TryHackMe: Brute It Write-Up

Box Link: https://tryhackme.com/room/bruteit
About the box: Learn how to brute, hash cracking and escalate privileges in this box!

The very first thing that we do after booting the box is port scanning. For port scanning, we will be using nmap.

nmap -sVC -oN <file-name> <Box-IP>

• sV: Probe open ports to determine service/version info.
• -sC: This runs the default scripts over the ports.
• -oN: Output scan in normal text format in the given file name.

nmap output

We got 2 open ports: SSH and http. We got the default webpage on port 80. Further, enumerate the box by doing directory fuzzing. For this various tools can be used like dirb, dirbuster, gobuster etc. We will use gobuster for now. Use the following command:

gobuster dir -w <wordlist path> -u <Box-IP>

gobuster scan

While doing directory fuzzing, we got a directory called admin. Lets check what we have got there.

Its a log in page. While checking the source code we did found something.

We have the username now. For brute forcing the password we will be using tool called Hydra. Burp Suite too can be used for this process but community version is too slow for this.

Use the following command for brute forcing the password:
hydra -l admin -P /usr/share/wordlists/rockyou.txt <Box-IP> http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid” -V

• -l admin: This specifies the username.
• -P /usr/share/wordlists/rockyou.txt: This is the path to the wordlist that we will use for password cracking.
• <Box-IP>: Target IP
• http-post-form: The type of attack protocol. We will be attacking a HTTP website form.
• Username or password invalid: This is the response we receive from the website when we can’t log in.

Log in using the found details. We will be landing on the following page.

We got the web flag and the RSA private key for the user john. Download the key to your local machine. Since this is hashed we have to crack that. For this we will be using the famous cracking tool i.e. John the ripper. But first convert this to the format that is understandable by John. Use the following command:
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash

Now the format has been changed, lets crack the password. Use the following command for cracking:
john — wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

Now we have the password for the id_rsa file. Before logging in change the file permissions by using command chmod 400 id_rsa

Since we do have ssh service running on the machine we can log in using the obtained id_rsa.

ssh john@<Box-IP> -i id_rsa

Now we are in the box lets check the files that we have. On doing ls we got a file named user.txt , read that file and get the user flag.

For privilege escalation lets check do we have sudo permissions or not. Looks like we do have something for us. The user john can use /bin/cat as sudo.

As using cat we can read file contents, we will be reading the shadow file in /etc/ as it contains the password hashes.

Copy these hashes to your local machine and crack them using John. Use that cracked password of root to log in using root and get that root flag.

Root flag can be directly obtained using command sudo /bin/cat /root/root.txt. But since we do need the root password for the task, we cracked that first then logged in as root and then obtained the root flag.

Successfully completed the room.