Try Hack Me: Brute It

This room is super easy and it is perfect for beginners who want to try pentesting/hacking.

The skills/tools to be tested and needed to solve this room are: NMAP, Fuzzing/Enumeration, SSH, Brute Forcing, Hash Cracking, and Privilege Escalation.

This room was released on 11/06/2020 and it is rated easy in difficulty. Shout-out to the room creator, @reddyyz. You can access the room at https://tryhackme.com/room/bruteit.

I was assigned a target IP address of 10.10.184.109. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

  • How many ports are open?
    • *
  • What version of SSH is running?
    • O****** *.**1
  • What version of Apache is running?
    • 2.*.**
  • Which Linux distribution is running?
    • U*****
  • What is the hidden directory?
    • /*****
  • What is the user:password of the admin panel?
    • a****:x*****
  • What is John’s RSA private key passphrase?
    • r*********
  • User.txt
    • THM{a*************************r}
  • Web flag
    • THM{b*****************y}
  • What is root’s password?
    • f*******
  • Root.txt
    • THM{p******************n}

Steps:

  1. Scan the target using nmap. Type nmap -sC -sV -oA nmap/startup 10.10.184.109
  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oA – to save the results of the scan to a files named startup and saved in three different formats (normal, XML, and grepable)
Nmap scan result
  • We found answers to the following:
  • How many ports are open?
    • *
  • What version of SSH is running?
    • O****** *.**1
  • What version of Apache is running?
    • 2.*.**
  • Which Linux distribution is running?
    • U*****

2. Web service is open with port 80, so let’s check by opening a web browser and type the IP address in the url bar. Type 10.10.184.109

Webpage

***There is nothing in the page source, so let’s go ahead and enumerate the web service

3. Enumerate the web service using gobuster. Type gobuster dir -u 10.10.184.109 -w /usr/share/wordlists/dirb/common.txt | tee gobuster

  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w – is the flag to set the list of possible directory and file names
  • -tee – is to direct the result as an output
GoBuster scan result
  • We found the answer to what is the hidden directory?
    • /*****

4. Visit the hidden directory found above by opening a web browser and type 10.10.184.109/*****

Admin portal

5. Check the page source code by right-clicking a blank part of the webpage and choose View Page Source

The page’s source code

***We can see a cleartext password that we can use to login to the admin portal

6. Now that we have a username, we have to bruteforce the password by using Hydra. But first we have to use Burpsuite to capture the our client’s HTTP request and the server’s response. Open Burpsuite and try to login to the portal so Burpsuite will capture the interaction. And see the information we need to setup Hydra

7. Use Hydra to brute force the password. Type hydra -l ***** -P /usr/share/wordlists/rockyou.txt 10.10.184.109 http-post-form “/*****/index.php:user=^USER^&pass=^PASS^:F=Username or password invalid”

  • -l – use the lowercase letter L if you have a username
  • -P – use the uppercase letter P if you dont’ have a password and you are using a list
  • http-post-form – is to declare that the page is using a POST request
  • ^USER^ – this is where hydra enters the username to login
  • ^PASS^ – this is where hydra enters the password to login
  • F – is the error message when the login fails so Hydra knows to try a different credentials
Hydra brute force result
  • We found the answer to what is the user:password of the admin panel?
    • a****:x*****

8. Login to the admin panel

Logged in to the admin panel
  • We found the answer to web flag
    • THM{b*****************y}

9. Click the link to view John’s RSA private key. Then copy and paste it and save it on your attack machine

John’s RSA private key
Saved private key on my attack machine. Named the file john_rsa

10. Let’s convert this private key into a hashed form so John the Ripper will be able to unhash the passphrase by using ssh2john. To convert to hashed form, type python /usr/share/john/ssh2john.py john_rsa > brute.txt

Hashed form of the private key

11. Let’s crack the hash by using John again. Type /usr/sbin/john –wordlist=/usr/share/wordlists/rockyou.txt brute.txt

Found the passphrase
  • We found the answer to what is John’s RSA private key passphrase?
    • r*********

12. SSH to the server by using the passphrase we found above. Type ssh -i john_rsa john@10.10.184.109 and then type the passphrase we found in step 11

We are logged in to the server

13. Look for the user.txt by typing find / -type f -name user.txt 2> /dev/null and then use cat to read the file user.txt

User flag
  • We found the answer to user.txt
    • THM{a*************************r}

14. To check if our current user has any sudo privileges, type sudo -l

We can run the “cat” command with root permission

15. To read the root.txt, type sudo cat /root/root.txt

Root flag
  • We found the answer to root.txt
    • THM{p******************n}

16. Since we have root privilege to the cat command, let’s check the /etc/shadow file and see if we can get the hashed password of the user root. Type sudo cat /etc/shadow

17. Copy the entire line from “root” all the way to the “:::” and paste it to a txt file in your attack machine. Crack the root’s hashed password using John. Type john rootpw.txt

Hope you had fun with this room and write-up Pleas subscribe to my blog to get notified when I upload new contents.

Happy hacking!

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

2 Comments

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: