aldern00b
- Jun 25, 2022
- 3 min read

Brute It - THM

In this box you will learn about:

- Brute-force

- Hash cracking

- Privilege escalation

Connect to the TryHackMe network, and deploy the machine.

Enumerate

How many ports are open? 2

What version of SSH is running? OpenSSH 7.6p1

What version of Apache is running? 2.4.29

Which Linux distribution is running? Ubuntu

Next we'll check out for hidden directories with gobuster

What is the hidden directory? /admin

Always a good idea to check the source code.

We also want to make sure we fully enumerate so we're going to run gobuster again, telling it to look inside the admin directory too.

For the next part, we're needing to brute force the admin login portal we found. In order to do this we'll need the info from the form and the page so let's copy down all the info:

We're also going to need to grab a web request from the Mozilla web tools. Just open the network tab, submit some info into the form and get the request. When we submit some info we should get a response back and we need to grab that info too.

K, so let's break this down a bit 'cause if this is your first time (like me), it was a bit to put together - thank you to Null Byte ( https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ ):

hydra -l admin -P /usr/share/wordlist/rockyou.txt 10.10.123.199 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^&p=Login:username or password invalid"

Okay so we start with the hydra command and then break each item we gathered out

-l The username we got from the source code on the page
-P The password list we're using (rockyou in this case)
http-post-form use POST to send to the form

The next part is where it gets tricky.

/admin/index.php The page where the form is hosted
user=^USER^ the first part is the form field name we got from the page, the second half is a variable place holder that's passed from the -l switch above
pass=^PASS^ is like the user part but the ^PASS^ variable will be filled from our rockyou.txt list of passwords
p=Login this is the response of bad login we get. The response is held in a <p> html field and we're simply telling this is the Login response
Username or password invalid is the ACTUAL response we get from the server if it fails.

What is the user:password of the admin panel? admin:xavier

When we click on that link we get a text file with an RSA key:

We use ssh2john to convert it to a hash then use john the ripper to crack.

What is John's RSA Private Key passphrase? rockinroll

Okay so now we should be able to ssh into johns account. First we need to change the permissions on the rsa_id file we downloaded by using

chmod 400 id_rsa

The we use this to connect

ssh john@[ip] -i id_rsa

It will ask you for a password, which we provide from the crack and we're in! Let's cat out the user.txt

user.txt THM{a_password_is_not_a_barrier}

The web flag we got from the /admin login page

web flag THM{brut3_f0rce_is_e4sy}

Let's check what we have sudo to:

Looks like we don't need a password to run cat as admin. So let's just cat out that file

Unfotunately that's not really the way they want us to do it because they want us to find the root password so let's look around for a bit.

Using the same command we can read the /etc/shadow file to get all the password hashes

root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::

We copy that to a file on our local attack box and then use John to crack it.

What is the root's password? football

We COULD su to root and get the file but we've already got it earlier ;)

root.txt THM{pr1v1l3g3_3sc4l4t10n}

Brute It - THM

Recent Posts