TryHackMe | Brute It
TryHackMe is an online platform for learning and teaching cyber security, all through your browser.
Task : About this box
Task : Reconnaissance
To gather information about ports perform nmap scan. I used the command: nmap -sSV -Pn MACHINE_IP
To perform directory search the tool called gobuster is used. I used he command: gobuster dir -u http://MACHINE_IP --wordlist /usr/share/wordlists/dirb/common.txt
Task : Getting a shell
Start with admin page. It is a simple login page.
Looking at the page source we got a comment line which is for user John that the username is admin.
We can use the famous password crack tool ‘Hydra’ to get the password with username admin. Command used: hydra -l admin -P rockyou.txt MACHINE_IP http-post-form “/admin/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid” -V
After few attempts we got the password which is the answer to question 1.
After successfully logging in we got a RSA key and answer to the question 4.
The following screenshot shows the RSA key:
Using command: wget http://MACHINE_IP/admin/panel/id_rsa we can get the RSA key in our local system.
ssh2john.py is used to convert the RSA key into text format. The command used is: /usr/share/john/ssh2john.py > idrsa.txt
Using the tool john the ripper we can perform brute force to crack the RSA key using the wordlist rockyou.txt
Command used: john idrsa.txt --wordlist=rockyou.txt this will give the RSA private key passphrase.
While information gathering we got to know that port 22 is open and ssh service is running. Using the RSA key and the passphrase we can try connecting to the ssh server.
Command used: ssh john@MACHINE_IP -i id_rsa
We got a shell on SSH as user name John. Take the user flag.
Task : Privilege Escalation
Using sudo -l we can check user privileges. We found that user john can run command /bin/cat as root.
Checking on GTFObins that if we can exploit /bin/cat or not. Yes /bin/cat can be exploited.
Following the steps given in GTFObins we can get access to the /etc/shadow which contains the system users and passwords.
Make a file named ‘hashes’ and copy the content of shadow file in hashes and using john to crack the hashes using rockyou.txt, we got the password of root.
Command used: john hashes --wordlist=rockyou.txt
Using su command to change the user to root. And yesssss….. We are root user now. Get the root flag.
Successfully completed the room :-)