Brute It: TryHackMe Walkthrough

The scope of our discussion encompasses a variety of topics pertinent to cybersecurity, among which include Brute-force attacks, Hash cracking techniques, and Privilege escalation methodologies. Proficiency in several tools is essential for comprehensively addressing these areas, namely Nmap, Gobuster, Hydra, and John the Ripper.

Figure-1

To access the Brute It room and embark on this learning journey, kindly follow this link: TryHackMe | Brute It

Let's get started!

Task-1: Deploy the machine.

Figure-2

Task-2: Reconnaissance.

In this instance, the box lives at 10.10.186.229 let’s get things started with a quick Nmap scan:

nmap -A -sV -sC -Pn 10.10.186.229

Before attacking, let's get information about the target

Figure-3

Answer the questions below
Search for open ports using nmap.

Question-1: How many ports are open?
Answer-1: 2

Question-2: What version of SSH is running?
Answer-2: openSSH 7.6p1

Question-3: What version of Apache is running?
Answer-3: 2.4.29

Question-4: Which Linux distribution is running?
Answer-4: ubuntu

Figure-4

Search for hidden directories on web server.
Question-5: What is the hidden directory?
Answer-5: /admin

Task-3: Getting a Shell.

After visiting the /admin directory we find a form, requiring a username and a password:

Figure-5

Let’s check the page source for more information about the web page. 

Figure-6

We have a username: admin, now we need the password. With the username, we can brute force the password using Hydra tool. 

Command: hydra -l admin -P rockyou.txt <IP Machine> http-post-form “/admin/:user=^USER^&pass=^PASS^login=Login:Username or password invalid"

Figure-7

Find a form to get a shell on SSH.

Answer the questions below

Question-1: What is the user:password of the admin panel?

Answer-1: admin:xavier

Figure-8

Now that we have a password, we can log in to the website. We find an interesting message and a flag.

Figure-9

Once you click on the RSA private key link which is itching to be clicked you get the rsa and copy it to your local machine. 

ssh2john is used to convert the RSA key into text format. 

Command: ssh2john id_rsa > hash

With the help of john the ripper tool we can perform brute force to crack the RSA key using the wordlist rockyou.txt

Command: john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH hash

Figure-10

Crack the RSA key you found.

Question-2: What is John's RSA Private Key passphrase?
Answer-2: rockinroll

Using the RSA key and the passphrase we can try connecting to the ssh server.
Command: ssh -i id_rsa john@Machine_IP

We get a password! Before using it, we need to modify the rights on the key.
Command: chmod 600 id_rsa

Figure-11

We got a shell on SSH as username John and also got the user flag.

Question-3:User.txt
Answer-3: THM{a_password_is_not_a_barrier}

Question-4: Web flag
Answer-4: THM{brut3_f0rce_is_e4sy}

Task-4: Privilege Escalation.

Now, we need to escalate our privileges.

Let's enumerate

Command: sudo -l

Figure-12

Here we got a hash of a root user and also with the help of cat command we got the root flag.

Command: sudo cat /root/root.txt

Figure-13

Copy the root password hash and use John to crack it.

Command: john --wordlist=/usr/share/wordlists/rockyou.txt file

Here we got the password for the root user "football".

We Successfully complete the root.

Thankyou!!!

TryHackMe:RootMe Walkthrough

RootMe is an introductory-level box available on the TryHackMe platform, designed to assess your skills in directory busting and exploiting unrestricted file upload vulnerabilities. Before delving into this walkthrough, I highly recommend attempting to solve the challenges presented in the room independently. This approach not only enhances your learning experience but also reinforces your understanding of the concepts involved.

FIGURE-1

To access the RootMe room and embark on this learning journey, kindly follow this link: https://tryhackme.com/room/rrootme

Let's dive in!!

Task-1: Deploy the machine.

FIGURE-2

Task-2: Reconnaissance.

In this instance, the box lives at 10.10.138.73 let’s get things started with a quick Nmap scan:

nmap -sV -sC 10.10.138.73

First, let's get information about the target.

Figure-3

Answer the questions below

Question:1 Scan the machine, how many ports are open?

Answer: 2

Question:2 What version of Apache is running?

Answer: 2.4.29

Question:3 What service is running on port 22?

Answer: ssh

Question:4 Find directories on the web server using the GoBuster tool.

Answer: No answer needed

Figure-4

Question:5 What is the hidden directory?

Answer: /panel/

FIGURE-5

Looks like we have an upload form here! Any files uploaded here will populate in /uploads, so we’ll have an easy way to execute anything we upload to the server.

Task-3: Getting a shell.

Find a form to upload and get a reverse shell, and find the flag.

Now try to upload a PHP reverse shell and execute it from the /uploads directory.

For this, I will be using the infamous php-reverse-shell.php from pentestmonkey. You can grab it here: php-reverse-shell

Just copy and paste this code into a text file, and change the information below:

Figure-6

Once this is changed, go ahead and save this as a .php file, and it’s ready for upload! Let’s upload this to the website, navigate to and select the file as you would normally:

And as you click upload it looks like server is not taking .php file. What to do it that case? We know that we have .php file and .php file can go in different extensions, quick look into Google and you will see that other extensions are: .php3, .php4, .php5, .php7, .pthml, .pht.

Figure-7

This is trial and error now, we need to see which one will be accepted. We need to simply edit the extension. I have changed the extension to .php5 and it was accepted by the server.

Figure-8

Now we need to go to ip_addr/uploads/ and also start our netcat listener in the terminal.

Figure-9

Success! We now have a shell on this machine.

Answer the questions below

Question:1 user.txt

Answer: THM{y0u_g0t_a_sh3ll}

Task-4: Privilege escalation.

Now that we have a shell, let's escalate our privileges to root.

Search for files with SUID permission, which file is weird? We need to run command find / -user root -perm /4000 . what it means? It's looking for a file with SUID permission that can be run as root. we need to look carefully into the output of the command to find which file can be exploited to gain root access.

Figure-11

Answer the questions below

Question-1: Search for files with SUID permission, which file is weird?

Answer-1: /usr/bin/python

Question-2: Find a form to escalate your privileges.

Answer-2: No answer needed

How to exploit it? Go to GTFOBins and look for Python GTFO. We need this one:

Figure-12

This is super simple now, we just need to copy this command into our user shell.

command: python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

We need to run the second part of the command here. Type whoami to get confirmation that we indeed are a root user now.

Figure-13

Question-3: root.txt

Answer-3: THM{pr1v1l3g3_3sc4l4t10n}

Hope you enjoy my writeup.