Brute It - THM

In this box you will learn about:

- Brute-force

- Hash cracking

- Privilege escalation

Connect to the TryHackMe network, and deploy the machine.

Enumerate

Next we'll check out for hidden directories with gobuster

Always a good idea to check the source code.

We also want to make sure we fully enumerate so we're going to run gobuster again, telling it to look inside the admin directory too.

For the next part, we're needing to brute force the admin login portal we found. In order to do this we'll need the info from the form and the page so let's copy down all the info:

We're also going to need to grab a web request from the Mozilla web tools. Just open the network tab, submit some info into the form and get the request. When we submit some info we should get a response back and we need to grab that info too.

K, so let's break this down a bit 'cause if this is your first time (like me), it was a bit to put together - thank you to Null Byte ( https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ ):

hydra -l admin -P /usr/share/wordlist/rockyou.txt 10.10.123.199 http-post-form "/admin/index.php:user=^USER^&pass=^PASS^&p=Login:username or password invalid"

Okay so we start with the hydra command and then break each item we gathered out

-l The username we got from the source code on the page
-P The password list we're using (rockyou in this case)
http-post-form use POST to send to the form

The next part is where it gets tricky.

/admin/index.php The page where the form is hosted
user=^USER^ the first part is the form field name we got from the page, the second half is a variable place holder that's passed from the -l switch above
pass=^PASS^ is like the user part but the ^PASS^ variable will be filled from our rockyou.txt list of passwords
p=Login this is the response of bad login we get. The response is held in a <p> html field and we're simply telling this is the Login response
Username or password invalid is the ACTUAL response we get from the server if it fails.

When we click on that link we get a text file with an RSA key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E32C44CDC29375458A02E94F94B280EA

JCPsentybdCSx8QMOcWKnIAsnIRETjZjz6ALJkX3nKSI4t40y8WfWfkBiDqvxLIm
UrFu3+/UCmXwceW6uJ7Z5CpqMFpUQN8oGUxcmOdPA88bpEBmUH/vD2K/Z+Kg0vY0
BvbTz3VEcpXJygto9WRg3M9XSVsmsxpaAEl4XBN8EmlKAkR+FLj21qbzPzN8Y7bK
HYQ0L43jIulNKOEq9jbI8O1c5YUwowtVlPBNSlzRMuEhceJ1bYDWyUQk3zpVLaXy
+Z3mZtMq5NkAjidlol1ZtwMxvwDy478DjxNQZ7eR/coQmq2jj3tBeKH9AXOZlDQw
UHfmEmBwXHNK82Tp/2eW/Sk8psLngEsvAVPLexeS5QArs+wGPZp1cpV1iSc3AnVB
VOxaB4uzzTXUjP2H8Z68a34B8tMdej0MLHC1KUcWqgyi/Mdq6l8HeolBMUbcFzqA
vbVm8+6DhZPvc4F00bzlDvW23b2pI4RraI8fnEXHty6rfkJuHNVR+N8ZdaYZBODd
/n0a0fTQ1N361KFGr5EF7LX4qKJz2cP2m7qxSPmtZAgzGavUR1JDvCXzyjbPecWR
y0cuCmp8BC+Pd4s3y3b6tqNuharJfZSZ6B0eN99926J5ne7G1BmyPvPj7wb5KuW1
yKGn32DL/Bn+a4oReWngHMLDo/4xmxeJrpmtovwmJOXo5o+UeEU3ywr+sUBJc3W8
oUOXNfQwjdNXMkgVspf8w7bGecucFdmI0sDiYGNk5uvmwUjukfVLT9JPMN8hOns7
onw+9H+FYFUbEeWOu7QpqGRTZYoKJrXSrzII3YFmxE9u3UHLOqqDUIsHjHccmnqx
zRDSfkBkA6ItIqx55+cE0f0sdofXtvzvCRWBa5GFaBtNJhF940Lx9xfbdwOEZzBD
wYZvFv3c1VePTT0wvWybvo0qJTfauB1yRGM1l7ocB2wiHgZBTxPVDjb4qfVT8FNP
f17Dz/BjRDUIKoMu7gTifpnB+iw449cW2y538U+OmOqJE5myq+U0IkY9yydgDB6u
uGrfkAYp6NDvPF71PgiAhcrzggGuDq2jizoeH1Oq9yvt4pn3Q8d8EvuCs32464l5
O+2w+T2AeiPl74+xzkhGa1EcPJavpjogio0E5VAEavh6Yea/riHOHeMiQdQlM+tN
C6YOrVDEUicDGZGVoRROZ2gDbjh6xEZexqKc9Dmt9JbJfYobBG702VC7EpxiHGeJ
mJZ/cDXFDhJ1lBnkF8qhmTQtziEoEyB3D8yiUvW8xRaZGlOQnZWikyKGtJRIrGZv
OcD6BKQSzYoo36vNPK4U7QAVLRyNDHyeYTo8LzNsx0aDbu1rUC+83DyJwUIxOCmd
6WPCj80p/mnnjcF42wwgOVtXduekQBXZ5KpwvmXjb+yoyPCgJbiVwwUtmgZcUN8B
zQ8oFwPXTszUYgNjg5RFgj/MBYTraL6VYDAepn4YowdaAlv3M8ICRKQ3GbQEV6ZC
miDKAMx3K3VJpsY4aV52au5x43do6e3xyTSR7E2bfsUblzj2b+mZXrmxst+XDU6u
x1a9TrlunTcJJZJWKrMTEL4LRWPwR0tsb25tOuUr6DP/Hr52MLaLg1yIGR81cR+W
-----END RSA PRIVATE KEY-----

We use ssh2john to convert it to a hash then use john the ripper to crack.

Okay so now we should be able to ssh into johns account. First we need to change the permissions on the rsa_id file we downloaded by using

chmod 400 id_rsa

The we use this to connect

ssh john@[ip] -i id_rsa

It will ask you for a password, which we provide from the crack and we're in! Let's cat out the user.txt

The web flag we got from the /admin login page

Let's check what we have sudo to:

Looks like we don't need a password to run cat as admin. So let's just cat out that file

Unfotunately that's not really the way they want us to do it because they want us to find the root password so let's look around for a bit.

Using the same command we can read the /etc/shadow file to get all the password hashes

root:$6$zdk0.jUm$Vya24cGzM1duJkwM5b17Q205xDJ47LOAg/OpZvJ1gKbLF8PJBdKJA4a6M.JYPUTAaWu4infDjI88U9yUXEVgL.:18490:0:99999:7:::

We copy that to a file on our local attack box and then use John to crack it.

We COULD su to root and get the file but we've already got it earlier ;)